TUCoPS :: Unix :: General
:: unix5348.htm
GNU rm fileutils race condition
17th May 2002 [SBWID-5348]
COMMAND
GNU rm fileutils race condition
SYSTEMS AFFECTED
Probalby package including the rm utils till March 2002
PROBLEM
In Paul Starzetz [http://www.starzetz.de] advisory :
-Suse distribution is taken as the exemple-
There is an exploitable call to the vulnerable rm -rf command in
/etc/cron.daily/aaa_base_clean_core as follows:
#
# paranoia settings
#
umask 022
PATH=/sbin:/bin:/usr/sbin:/usr/bin
export PATH
TMPDIR=/var/tmp/cron.daily.$$
rm -rf $TMPDIR
This script is run every day as ROOT even if the user didn\'t set the
DELETE_OLD_CORE variable in /etc/rc.config!
Details
-------
As pointed out by Wojciech Purczynski <mailto:cliph@isec.pl>
<cliph@isec.pl <mailto:cliph@isec.pl>> there is a race condition
in the GNU \'rm\' utility while removing directories recursively. In
particular it is possible to create a deply nested directory structure
in /tmp,
wait for removal of one of the leafs and quickly move the directory
root 2 levels up. This will force rm to chdir(\"..\") two levels more
than intended, resulting in the removal of the complete file system.
An exploit code will not be released, but exploitation is very
straightforward, since the race window can be made mostly as big as
needed (it is even possible to exploit this vulnerability \'by hand\').
One needs to create a directory structure like this:
/tmp/cron.daily.PID/root/1/2/3/4/5/6/7/8/......./N
/(N+1)/(N+2)/.........../2*N
.........................
and wait for the removal of the \'N\' leaf. This can be easiliy
acomplished since the clean_core script is called at a very well
defined time (between 0:15:00 and about 0:15:15 every day) - so we can
create X of those nested directories, wait until 15:00, get the next
pid and begin to move those directories to match the next X pids.
Guessing the next pid can be done by reading /proc/stat and evaluating
the \'processes\' entry (or less elegant by continuous forking :-).
Impact
------
This vulnerability leads to a denial of service attack on SuSE Linux
systems. As far as tested SuSE Linux <= 7.3 seems to be vulnerable.
The 8.0 release has not been tested yet.
SOLUTION
Most distrib has probably been silently updated since, grabb the latest
package.