[sf-lug] Hacked RHEL4/PHP4 server

Kristian Erik Hermansen kristian.hermansen at gmail.com
Thu May 22 14:10:18 PDT 2008

On Thu, May 22, 2008 at 1:14 PM, Rick Moen <rick at linuxmafia.com> wrote:
> If you are holding in your hands a day-zero exploit for e2fsck, you have
> _much_ better things to do with your new-found, magically (if
> hypothetically) available underworld wealth than attempt to taunt some
> sysadmin in Menlo Park.

Rick, you take my hypothetical situation too far.  My point was to
prove that just parsing a file system *can* result in arbitrary code
execution.  You do not need to have loadable boot code...

> If you think it's possible to induce the canonical e2fsck to perform
> unnatural and threatening acts through a cannily malformed filesystem
> that it merely parses but does not execute, feel free to show a
> demonstration.  I'll not be holding my breath.

Bugs like this do exist, and here is a recent one for Mac OS X, which
you claim should not be vulnerable to fsck running arbitrary code of
the attacker's choosing merely because it does not run code in the
boot sector when mounted...


Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.9, Mac OS X Server v10.4.9

Impact: Opening a maliciously-crafted UFS disk image may lead to an
unexpected application termination or arbitrary code execution

Description: A memory corruption vulnerability exists in fsck. It is
possible to cause fsck to be run automatically on a disk image when it
is opened. By enticing a user to open a maliciously-crafted disk
image, or to run fsck on any maliciously-crafted UFS filesystem, an
attacker could trigger the issue which may lead to an unexpected
application termination or arbitrary code execution. This update
addresses the issue by performing additional validation of UFS

> But why bother?  Why not, if you're attempting to play stupid mind games
> with the sysadmin of a system where you've hypothetically stolen root,
> encrypt a bunch of its files and then send the admin a telephone call or
> e-mail advising him/her of where to wire money to get the files back?
> You've now recreated one of the standard 1980s virus scenarios (that
> were actually attempted on victims of that era by Central American
> wannabe extortionists).

The Monkey virus was pretty cool, but I'm not going down that path.
I'm not talking about taking a file system hostage.  What I am talking
about is something different.  Such an attacker would only use an
exploit like this in a targeted scenario, perhaps to find out who was
running that honeypot, so that when the *real* security researcher
mounts the file system image for research purposes, he can be
exploited.  The scenario is highly unlikely for normal sysadmins, but
still something that should not be discredited.

In response to your other comments, I'm not asking you to do anything
Rick, except for acknowledge the possibility of such a scenario.  You
can ph33r whatever you want to ph33r.  Good night and good luck...
Kristian Erik Hermansen
"When you share your joys you double them; when you share your sorrows
you halve them."

More information about the sf-lug mailing list