i got bored today, so i played around a bit with some stuff...
this is one interesting thing i saw ->
[root@busted]-[/tmp]# (ps -aux|grep gcc);ls -la
root 1683 0.0 2.1 856 324 4 S 18:25 0:00 gcc -o z zed.c
<junk snipped>
-rw-rw-r-- 1 root root 33583 Jan 2 18:25 cca02383.i
-rw-rw-r-- 1 root root 0 Jan 2 18:25 cca02383.s
-rw-rw-r-- 1 root root 41 Jan 2 18:56 purly.pl
hrm... this didn't quite look quite right... i made some symlinks (about
50 or so, rather than spend some time to be accurate) with the
names "cca02490.s" to "cca02550.s" to a file called "purly.pl"
Then i ran gcc a few hundred times, just for good measure...
-rwxrwxr-x 1 root root 2386 Jan 2 18:44 purly.pl
[root@busted]-[/tmp]# head purly.pl -n 2
.file "zed.c"
.version "01.01"
hello! this isn't the "hello world!" thing i used to have...
The ramifications of this? And file that can be read, can be
destroyed with some time and effort on the part of an attacker...
(Mind you, it might be a *lot* of time, but who knows)
Richard Kenny
-- rkenny@crimelab.net