[Polarhome] cracked

Zoltan Arpadffy arpadffy@polarhome.com
Mon, 3 Sep 2001 22:57:49 +0200


gate.polarhome.com has been cracked.

 attack was not constructive and it was directly against gate's
functionality.
Attacker used PAM modules bug that it is not possible to configure
/etc/security/limits.conf file with user environment limitations. This bug
has been submitted to bugzilla several times (once by me), but RedHat didn't
take it with high importance.

Scenario:
guest user logged in.
guest    pts/108      Mon Sep  3 10:44 - 12:56  (02:11)
cmb5-152.dial-up.arnes.si
writes a c program:

#include <stdio.h>
main(){
    system("/usr/bin/uptime");
    while(1){
            fork();
    }
}

This program just overload the system...

Normally /etc/security/limits.conf would easily stop the this kind of
attacks with
*       hard    nproc   100
... but not the buggy PAM :-)

Anyhow system with more than 3000 users was down.

root

>