X-RDate: Thu, 15 Jan 1998 15:07:21 +0500 (ESK)
Date: Wed, 14 Jan 1998 13:02:58 -0800
From: Pete <shipley@DIS.ORG.>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Linux inode.i_count overflow
>http://www.ms.mff.cuni.cz/~jkot2155/linuxbug.html
>
> While I was working on my master thesis (Emulation of [1]Classic
> Operating Systems in [2]Distributed Environment), I found following
> two nasty things in Linux sources:
>
> i_count Overflow Security Hole
>
> Member i_count in struct inode contains the usage count. It is of type
> unsigned short, which is only 16-bit long on i386. Unfortunately, it
> is not enough. You can make it overflow by mapping one file many
> times:
BSD 2.9 (maybe 4.1) had this problem also, in that case the link count
was stored in a u_char, I think. (you needed to fork something line 23
processes or something to do it since the per process file descriptor
table size was significantly smaller then the file's link counter).
It was possible to hack root by opening a file in the / (root)
filesystem till the that files link count was 0 (and thus it was
added to the freelist). Next you would change your password or
finger/gecos info a few times till "your" inode was reallocated
and used for the password file thus leaving you a open file descriptor
to the password file.
Since I do not run Linux I can not test to see if you can do this under Linux
I have some *old* exploit code for this at home on a disconnected
system but since I am on the road I can get to it. I try to remember to
send it to rootshell.com when I get home.
-Pete
