DoS program/bug .

Posted on 2006-04-13
Last Modified: 2008-02-26
Hello, i have a program that was used to bypass my security stuff. I am running freebsd 5.4 pl13. it is a shell server. the exploit creates like 400.000 files. each 1000 files have the SAME inode. i don't know how this is possible but maybe you can help me out on this. The idea is that when periodic tasks run ... like updatedb, or security or whatever uses find/locate command, server reboots. i think the issue is because the files have the same inodes, and they are a lot ...

the files look like this  you can see the inode in the left side, that it is the same

1319375 -rw------- 30000 user users 0 Apr 10 23:31 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx075
1319375 -rw------- 30000 user users 0 Apr 10 23:31 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx076
1319375 -rw------- 30000 user users 0 Apr 10 23:31 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx077

Now, i tried to decompile, and i think i got the procedures in assembly. the file is relative small. 6667 bytes ...

here is what i got. all procedures are here. is it assembly ? could you please tell me what the script does ? because i have quota enabled, and limitations for files and disk space, but with this proggie, 400000 files were using 400 inodes. because each 1000 had the same inode. need help pls

<Code Removed by Request> Paul Caswell
Question by:rares_dumitrescu

    Author Comment

    ldd and strings output

    ldd eggdrop
   => /lib/ (0x28076000)

    trings eggdrop
    $FreeBSD: src/lib/csu/i386-elf/crti.S,v 1.6 2002/05/15 04:19:49 obrien Exp $
    mkdir(%s) failed
    creat(%s) failed
    stat(%s) failed
    link(%s,%s) failed
    finished successfully
    $FreeBSD: src/lib/csu/i386-elf/crtn.S,v 1.5 2002/05/15 04:19:49 obrien Exp $
    LVL 16

    Expert Comment

    Could you be a bot clearer about what you are asking us to do?

    If you are asking how this program was built then it's originally written in C or C++. I can get that because of the "%02d/%05d" type formatting and the fact that there exists a function called '_main'.

    The existence of __do_global_ctors_aux suggests it might be C++ but it may not be.

    LVL 53

    Expert Comment

    A few comments :

    1) eggdrop is the name of a popular IRC bot ... any chance this is what this executable is ?

    2) multiple filenames using the same inode, refer to the same physical file ... afaik that shouldn't pose any problems. I've seen an exploit that overflowed the i_count member of a struct inode by referring to the same inode more than 65535 times, but as you say that in this case only 1000 filenames map to the same inode, that shouldn't be a problem here.

    3) As Paul said, the language this software was originally written in is C, as shown by the use of the library

    A few questions :

    1) Are you sure that it was this program that created all those files ?

    2) How did you track down the crash problem to this particular piece of software ?

    I'll look over the code a bit to see if I can find something of use ...
    LVL 53

    Accepted Solution

    A bit of (manual) reverse engineering gave this :

    << Some excellent work regretfully removed by Page Editor>>
        return printf("\rfinished successfully\n");

    I'm sure it's not 100% the same as the original code, but the big lines should be ok. Basically it does as you said, it creates a file and 29999 links to that same file (using the same inode as a consequence). The links are spread out over several directories containing 1000 each.

    Does this correspond to what you see on your system ?

    How is struct inode defined on your system ? More specifically, the i_count member ... is it a signed short ? If so, it could be overflowing because of the 29999 links to the same inode.
    LVL 53

    Expert Comment

    It would maybe have been better to put this in the Security department ... but I've got the impression that rares_dumitrescu just wants to know what happened to his system. In any case, exploits like this (if it is one, and it looks like it is) are more easily available than by decompiling a binary.

    I will however be a bit more cautious from now on not to post anything that could harm EE ... I just got sucked into the challenge to find out what this code does, and once I found out, it seemed a pity not to post it lol. My apologies ...

    Author Comment

    we solved the problem. system was rebuilt using different partitioning system. /home - mounted with noexec. users were installed programs global and configs are in their home directories, so this program that was used to crash the system or any program / exploit could not be run ... i been trying to find a way so i would not rebuild the system to beat this thing off but this was the only viable solution i got ...

    thanks guys for all the help you got me.

    Author Comment

    please edit the post and take out the code that might harm other people... this stuff is really dangerous ... really

    Author Comment

    and please delete the procedures and ldd i wrote up there because someone could rebuild the code, and really i saw what it did to my box, so i would not want to be the cause for pain on someone else's back ... i mean .. for this one the only solution i got was either give no shells, either the specific partitioning up there and rest hardening stuff ....

    again thanks for your help and dedication ... was great
    LVL 53

    Expert Comment

    Hi Paul,

    no problem at all ... since rares_dumitrescu resolved his problem it's no longer needed (especially since he could resolve it without the code :)). It was a fun challenge for me (to refresh my reverse engineering skills which I haven't used in a while lol), but this is indeed not the best place to be posting this.
    Although I still believe that security comes from the public knowledge of all kinds of attacks ... If you make code like this publicly available (to crackers as well as security people), it will be a short while before a patch (or similar) is written to fix this security hole. There are several good sites around that are built on this idea ... I won't mention their names (although they should be common knowledge), but I'm sure you know what I'm talking about :)

    Again : no problem ... Whatever is necessary to uphold the quality of this site is fine by me :) btw, as rares_dumitrescu said : you might want to remove the code in his question too, as it does exactly the same, although a bit more cryptical :)


    LVL 53

    Expert Comment


    if you want this problem fixed in a more permanent way, I suggest posting this on one of the security sites i mentioned, as well as in the bugs/security holes section of your OS's site/forum/mailing list. It shouldn't take long for someone to come up with a fix ...

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Suggested Solutions

    In the modern office, employees tend to move around the workplace a lot more freely. Conferences, collaborative groups, flexible seating and working from home require a new level of mobility. Technology has not only changed the behavior and the expe…
    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now