/tmp race in Linux kernel source!

Peter van Dijk (peter@ATTIC.VUURWERK.NL)
Mon, 16 Mar 1998 02:20:37 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Bill Becker: "Re: BSD/OS 3.0 config_anonftp script"
Previous message: Peter van Dijk: "bug in su (Slackware 3.4)"

Ok.. got all your attention there? It's not as bad as it looks ;)
But there _is_ a /tmp race in /usr/src/linux/scripts/Configure, as used by
make config (which is, IMHO, obsoleted by make menuconfig):

if [ -f $DEFAULTS ]; then
echo "#"
echo "# Using defaults found in" $DEFAULTS
echo "#"
. $DEFAULTS
sed -e 's/# $.*$ is not.*/\1=n/' < $DEFAULTS > /tmp/conf.$$
. /tmp/conf.$$
rm /tmp/conf.$$
else

File is created and sourced. What more could you wish?
And to exploit you'll have from start of script to this point to catch it
and create a fifo in /tmp.
You know the rest (think GCC symlink exploit): get whatever it puts into
the fifo and give it back with a little extra, like creating suid shell in
/tmp.

Greetz, Peter.

------------------------------------------------------------------------------
'Selfishness and separation have led me to . Peter 'Hardbeat' van Dijk
to believe that the world is not my problem . network security consultant
I am the world. And you are the world.' . (yeah, right...)
Live - 10.000 years (peace is now) . peter@attic.vuurwerk.nl
------------------------------------------------------------------------------
2:08am up 1 day, 12:05, 6 users, load average: 1.10, 1.18, 1.17
------------------------------------------------------------------------------

Next message: Bill Becker: "Re: BSD/OS 3.0 config_anonftp script"
Previous message: Peter van Dijk: "bug in su (Slackware 3.4)"