Checking the Disk Quota #1

Posted by & filed under , .

This is again similar to the others above, except that this time an attacker can exploit the disk quota. This quota defines how much space a user can use/store on a disk/partition. If there is no capping on this value, a user process can try to fill up the disk space available in the system, thus preventing any other process that needs to create files on disk (e.g. pipes, temporary files etc) from doing so — leading to either crashes in the system processes or preventing these from working.

The code to exploit this is quite simple, as you might have guessed it: an infinite loop that simply writes data on the disk in a file this time — so the file size at each iteration will grow up to the point when there is no space on the disk which will cause the system processes to crash or at least prevent them from working properly — such that the only thing you can really do is a hard reset. (Again, you won’t be able to log in either via the local console or remotely — or even kick off a reboot process — as the system will no longer be able to create any temporary files or write to the log file, or even worse, some of the daemon processes — e.g. ssh — will die.) The worst part about this approach is that your reboot won’t work, as obviously files are persistent so during reboot your system will quite likely freeze as there will still be no space on the disk!

We have chosen the /tmp directory here as typically anyone will have write access in this directory, and also this is the directory used by most of the system processes to write temporary files. A clever sysadmin, I guess, could either have created a different temp directory for users, on a different partition, where strict quota rules apply, or mounted the /tmp dir on a partition where a disk quota is already in place for the system users. Also, if you are planning to check your system against this exploit, is also a good idea to check the partition that stores the user homes is not on the same partition as the /tmp directory, or that there is no other location where ordinary users can write without having a disk quota.

Also note that the bigger the block size (that gets written to the file at each iteration) the higher the chances that the sysadmin might still be able to log in and kill your process (and delete the file created) — thus freeing up the system resources. For example, if you keep writing 1 Meg at a time, at some point, the disk space might only have 900K left, so your program exits but the system will still be able to store another 900K on disk — quite likely enough for an admin to log in and delete the file. While if you are writing say chunks of 1Kb, even though your program will take forever to fill the disk, you leave very little chance — unlikely that what’s left on the disk (under 1K) can suffice a login for the sysadmin. A “clever” approach would be to try large writes first until the write fail, then half the size of the chunks until it fails and keep going like this until you cannot write a chunk of 1K — at which point you stop as it’s quite clear you have reached the disk quota! However, I’m not providing that piece of code here, as there’s gonna be loads of “hacker wannabes” downloading it and trying it throughout universities 🙂 If you’re good enough to understand the concept you should be good enough to expand the program yourself 😉

Below is the code:

#include <stdlib.h>
#include <stdio.h>
/* We are going to write 1K at a time */
#define WRITE_BLOCK (1024)
#define WRITE_FILE "/tmp/bigfile"
int main( int argc, char ** argv )
   /* open file */
   FILE * fp = fopen( WRITE_FILE, "w" );
   if( !fp ) /* d'oh! */
      return 1;
   /* allocate our buffer */
   char * c = (char *)malloc( WRITE_BLOCK );
   if( !c ) /* d'oh! */
      return 2;
   int written = fwrite( c, 1, WRITE_BLOCK, fp );
   while( written < 0 )
      written = fwrite( c, 1, WRITE_BLOCK, fp );
   fclose( fp );
   free( c );
   return 0;

Remember that in order to prevent such an exploit on your machine you should set a disk quota for your users. Consult your man pages on how to do so.

Download the above source code here.

NOTE: This is an article from my old website, way before I restructured it. Since I see visitors going through search engines and requesting the old page, I decided to resurrect this, as it obviously presents a certain level of interest to users out there, so at least future searches will not get a simple 404 but get instead this page.