Subject: Foward: GNU fileutils - recursive directory removal race condition
To: None <tech-security@netbsd.org>
From: Takahiro Kambe <taca@sky.yamashina.kyoto.jp>
List: tech-security
Date: 03/12/2002 07:13:47
----Next_Part(Tue_Mar_12_07:13:32_2002_542)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hi.
Is this problem applicable to our rm(1)?
--
Takahiro Kambe <taca@sky.yamashina.kyoto.jp>
----Next_Part(Tue_Mar_12_07:13:32_2002_542)--
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
by outgoing.securityfocus.com (Postfix) with QMQP
id 20DE1A33DA; Mon, 11 Mar 2002 10:01:01 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Date: Mon, 11 Mar 2002 00:21:23 +0100 (CET)
From: Wojciech Purczynski <cliph@isec.pl>
Reply-To: security@isec.pl
To: bugtraq@securityfocus.com
Cc: security@isec.pl
Subject: GNU fileutils - recursive directory removal race condition
Message-ID: <Pine.LNX.4.44.0203110015420.5212-100000@isec.pl>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Name: fileutils
Version: 4.1 stable and 4.1.6 development version
Homepage: http://www.gnu.org/software/fileutils/fileutils.html
Author: Wojciech Purczynski <cliph@isec.pl>
Date: March 10, 2002
Issue:
======
Race condition in various utilities from fileutils GNU package may cause
root user to delete the whole filesystem.
Description:
============
The GNU File Utilities are the basic file-manipulation utilities of the
GNU operating system.
Details:
========
An insecure chdir("..") syscall is done after removing content of a
subdirectory in order to get back to the upper directory during recursive
removal of directory tree.
Example of 'rm -fr /tmp/a' removing '/tmp/a/b/c' directory tree:
(strace output simplified for better readability)
chdir("/tmp/a") = 0
chdir("b") = 0
chdir("c") = 0
chdir("..") = 0
rmdir("c") = 0
chdir("..") = 0
rmdir("b") = 0
fchdir(3) = 0
rmdir("/tmp/a") = 0
After current directory is changed to /tmp/a/b/c a race condition occurs.
If we then move /tmp/a/b/c directory to the /tmp/c two subsequent
chdir("..") syscalls will move to the root directory / and rm will start
removing files from the whole file systems if it has enough privileges
(i.e. if called by root user).
Timeframe of this race condition depends on how complicated directory
structure is.
The same issue affects also mv utility when source and destination
directory lie on different filesystems and they are removed after
creating copy on destination.
Impact:
=======
Unprivileged users may launch daemon program that will detect the removal
operation of user's directories and exploit race condition leading to
Denial of Service.
Fix:
====
On March 7, 2002 we have contacted with developers of GNU fileutils
package. On March 9, 2002 a patch fixing this vulnerability has been
released for the latest 4.1.6 development version:
http://mail.gnu.org/pipermail/bug-fileutils/2002-March/002440.html
- --
Wojciech Purczynski
iSEC Security Research
http://isec.pl/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8i+qNC+8U3Z5wpu4RAghyAJ9GGyLa/su8zTYhTo4nM0pIKQWaoQCfcHpL
ou2hoatHjGW+V05SB2LrS9g=
=kD85
-----END PGP SIGNATURE-----
----Next_Part(Tue_Mar_12_07:13:32_2002_542)----