TUCoPS :: Unix :: General :: unix5348.htm

GNU rm fileutils race condition
17th May 2002 [SBWID-5348]
COMMAND

	GNU rm fileutils race condition

SYSTEMS AFFECTED

	Probalby package including the rm utils till March 2002

PROBLEM

	In Paul Starzetz [http://www.starzetz.de] advisory :
	

	-Suse distribution is taken as the exemple-
	

	There is an exploitable  call  to  the  vulnerable  rm  -rf  command  in
	/etc/cron.daily/aaa_base_clean_core as follows:
	

	#

	# paranoia settings

	#

	umask 022

	

	PATH=/sbin:/bin:/usr/sbin:/usr/bin

	export PATH

	TMPDIR=/var/tmp/cron.daily.$$

	rm -rf $TMPDIR

	

	

	This script is run every day as ROOT even if the user  didn\'t  set  the
	DELETE_OLD_CORE variable in /etc/rc.config!
	

	

	 Details

	 -------

	

	As  pointed  out  by   Wojciech   Purczynski   <mailto:cliph@isec.pl>
	<cliph@isec.pl <mailto:cliph@isec.pl>> there is a  race  condition
	in the GNU \'rm\' utility while  removing  directories  recursively.  In
	particular it is possible to create a deply nested  directory  structure
	in /tmp,
	 wait for removal of one of the leafs and quickly move the directory 

	root 2 levels up. This will force rm to chdir(\"..\")  two  levels  more
	than intended, resulting in the removal of the complete file system.
	

	An  exploit  code  will  not  be  released,  but  exploitation  is  very
	straightforward, since the race window can be  made  mostly  as  big  as
	needed (it is even possible to exploit this vulnerability \'by  hand\').
	One needs to create a directory structure like this:
	

	/tmp/cron.daily.PID/root/1/2/3/4/5/6/7/8/......./N

	                        /(N+1)/(N+2)/.........../2*N

	                        .........................

	

	and wait for the  removal  of  the  \'N\'  leaf.  This  can  be  easiliy
	acomplished since the  clean_core  script  is  called  at  a  very  well
	defined time (between 0:15:00 and about 0:15:15 every day) - so  we  can
	create X of those nested directories, wait until  15:00,  get  the  next
	pid and begin to move those  directories  to  match  the  next  X  pids.
	Guessing the next pid can be done by reading /proc/stat  and  evaluating
	the \'processes\' entry (or less elegant by continuous forking :-).
	

	

	 Impact

	 ------

	

	This vulnerability leads to a denial of service  attack  on  SuSE  Linux
	systems. As far as tested SuSE Linux <= 7.3 seems to  be  vulnerable.
	The 8.0 release has not been tested yet.

SOLUTION

	Most distrib has probably been silently updated since, grabb the  latest
	package.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH