Jump To Content

Username:
Password:

Register
-465d 10h 16m 28s left

Its been 45 days, I'm posting.

Posted by nuxi on 2005-May-06 at 21:22:20 in Computers (Login to reply)

Okay certain versions of EMC systems (I still am not certain which ones) suffer a directory tree traversal problem inside the checkpoint backup system. This backup system allows you to have live access to the most recent backups of your files simply by doing "cd .ckpt". Inside of this directory there are a bunch of dated folders corresponding to the recent backups. This is a one way door, once in here you cannot leave be way of relative paths.

Specifically 'cd ..' behaves radically different than expected. Instead of going back to the folder with the list of backups, it goes one directory up the tree of the backup system. Like if you were in '/home/bob/.ckpt/NNN/' (which is '/ckpt_NNN_home/bob' on the server side) and did 'cd ..' you would expect to get to '/home/bob/.ckpt' but instead you are at '/ckpt_NNN_home' on the server side. By repeatedly doing 'cd ..' you proceed up the directory tree of the storage array and eventually get to the root of the storage array's filesystem. You can now proceed to explore the ENTIRE network storage array, including NFS shares that your computer can't normally access.

Lot's of people make poor assumptions on who is world. Without this exploit world is anyone who can access a computer that gets that specific NFS share. With this exploit world is anyone who can access any share on the NAS. In my case I was able to read 6 years of PBX logs for all of Michigan Tech and plenty of other goodies.

My pieced together list of what tech has from EMC is:
EMC Celerra
EMC Clariion CX600
EMC Clariion CX700
I'm pretty sure that the flaw is in the Celerra, but I have no clue.

There is a patch out, cause Tech applied it on Tuesday evening and has so far stopped my efforts at defeating it. 'cd ..' still doesn't behave correctly, but it does stop you from going above the base of the NFS export you are on. So in my example I would be stopped at '/ckpt_NNN_home' and unable to get to the '/' of the NFS server.


Now if you are shocked about this, so was I. What happened to software quality control? You think atleast one QA tester would have tried the thing that I did out of habit to leave the folder! You think atleast one would have investigated when it didn't behave quite right. And people wonder why I don't trust computer software.....