Possible loophole with dd command in multi-user Linux servers
I didn't think this would be a big deal, but I noticed that several remote logging Linux servers permit users to have an unlimited disk quota, which can easily be exploited using a command like:
~$dd if=/dev/zero of=null.bin
It doesn't require the user to 'sudo'. I checked it out in one of the remote access servers that need to be logged in to using Telnet, and I executed this command and was surprised to see it being permitted and having a free and unchecked run. Effectively, /dev/zero is a virtual disk that can generate a series of 'zero' bytes, and the 'dd' command will copy from the input file (i.e. /dev/zero) to the output file (null.bin here) and will not terminate until it reaches the End of File of /dev/zero. And because I didn't give it any count or bytes limit (which can be done using the bs=xxx and count=xx parameter), and since it never reaches the end when reading from /dev/zero, it will effectively create a massively huge file within seconds, and fill up an entire normal-sized hard-disk in about a minute and a half! I tried it out and in less than 7 seconds, I had created a 962 MB null.bin in my home folder. And then I tried on a virtual machine (Ubuntu 8.04 Hardy Heron running in VMWare on Windows) I had created, with a fixed disk-space of 3 GB, and in about 10-15 seconds my 'dd' command died with a "No space left on disk" error message.
I'm not sure if its really a loophole or not, but it certainly made my home directory expand to 1.2 GB unchecked within seconds in a remote telnet login to a Redhat Server. If it is a loophole, I think it could be solved by assigning a strict disk-quota to each user, encompassing the total areas where he can write to.
~Shashank
2 comments:
Well i have been thinking about the same telnet ( we share accounts on the same server ) server for a long time ...... one you can create as large a file as u want , ... the last time i did something like this was :
recursively concatenate three files , i could achieve sizes of 15 GB each .Yes that big text files ...... our admins don't really care what we do ;-) ! .. and if u want to crash the system , try opening the same file in vim ( the 15 GB or so file ) or just run a simple C program have three embedded loops ( 'for' loops ).........
and for my latest achievement , as most of the communication programs like "talk" are prohibited ,.....i wrote two simple scripts 'send' and 'recv' to send and recv messages ...... the scripts need a lot of polishing but as me ,Ishan and karthik checked in the lab today , ... they work :-) .... so actually speaking 'dd' thing is not a loophole , ... but badly enough our admins are a**holes ......!
Well its not a loophole, but certainly can be exploited like this. If anything can be commonly exploited, its a loophole. :-) And the sequence goes on..
Post a Comment