> If this is already known, my apologies. It seemed very strange that this
> worked, so I thought it would be mentionable.
>
It is known. See KSR[T] Advisory #3( http://www.dec.net/ksrt/adv3.html ).
> On many linux systems(Redhat imparticularly) updatedb is run nightly
> around 1:00. When it sorts the files that find gets, it creats a few files
> in /tmp called sort0<pid>000{1,2,etc}. Each is around 512k. The
> first file is created and filled, then if necassary, another is created
> and so on until it has your whole filesystem into a nice database. Well,
> once the first file is created you can easily guess what the next filename
> will be called as only the last character will change. If you create a
> link to say, the shadow password file, updatedb will kindly overwrite it
> for you. Ex:
>
> I played with this for awhile but couldn't find
> anyway to write anything useful to any file except /etc/shells so you can
> ftp into the system no matter what your specified shell is.
>
The consequences are more serious than that. A carefully crafted filename
in a world writable directory that updatedb processes could lead to a root
compromise. One could overwrite root's .rhosts or .login.
This could easily lead to a root compromise.
Dave G.
David Goldsmith dhg_at_dec.net
DEC Consulting http://www.dec.net
Software Development/Internet Security http://www.dec.net/~dhg
Received on Mar 02 1998
Intro
