The mysteriously persistently exploitable program explained

    Date05 Jan 2004
    3439
    Posted ByAnthony Pell
    In a previous article I described a machine compromise that initially would seemed to have been impossible. A vulnerable suid root program, /usr/sbin/buggy, was upgraded to a non vulnerable version, and yet crackers still were exploiting it. In fact, even after the program was removed entirely, it was still being exploited. So, how can it be that a program can be accessed even after it's been removed? The problem is that it wasn't removed. . . . In a previous article I described a machine compromise that initially would seemed to have been impossible. A vulnerable suid root program, /usr/sbin/buggy, was upgraded to a non vulnerable version, and yet crackers still were exploiting it. In fact, even after the program was removed entirely, it was still being exploited.

    So, how can it be that a program can be accessed even after it's been removed? The problem is that it wasn't removed.

    When we access a file on disk, we do so by providing a filename for it. The filesystem uses filenames, which are simply entries in directories, to look up the file's inode. An inode is a uniq numeric identifier, essentially a file number, which identifies the file on that filesystem. You can see the inode with the -i option to ls:

    $ ls -il /bin/cat
    32689 -rwxr-xr-x 1 root root 13912 Sep 17 06:54 /bin/cat

    That first number in the second line is the inode number, here 32689. Note also the third field in the line, '1'. That's the link count, the number of directory references to the file. Now, compare /bin/cat to, say, /bin/gzip:

    $ ls -il /bin/gzip
    32755 -rwxr-xr-x 4 root root 13912 Apr 19 04:43 /bin/gzip

    Note that link count of 4 in this case. How can we find the other filenames that point to this same file?

    You are not authorised to post comments.

    LinuxSecurity Poll

    Do you reuse passwords across multiple accounts?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /component/communitypolls/?task=poll.vote
    13
    radio
    [{"id":"55","title":"Yes","votes":"5","type":"x","order":"1","pct":45.45,"resources":[]},{"id":"56","title":"No","votes":"6","type":"x","order":"2","pct":54.55,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.