lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: j.mosher at sympatico.ca (Jerry)
Subject: /bin/rm file access vulnerability

I have to agree with Shane on this.  The whole point of the admin a.k.a root
user is to have full control over everything.  What's the point of that user
if it can't delete of stop a set process when required if some user orphans
something and can't get it back?

JM
----- Original Message -----
From: "shane milton" <shane.milton@...il.com>
To: "Lennart Hansen" <xenzeo@...dener.com>
Cc: <full-disclosure@...ts.netsys.com>
Sent: Thursday, December 30, 2004 8:45 AM
Subject: Re: [Full-Disclosure] /bin/rm file access vulnerability


> > However, it is possible for a person with admin rights (root) to
> > delete _any_ file
> > on the system regardless of who has created it and what it's permissions
are.
>
> ???  Maybe I'm confused.  . . . .but I don't see the problem here.
>
> -Shane
>
>
>
> On Wed, 29 Dec 2004 20:18:25 -0500, Lennart Hansen <xenzeo@...dener.com>
wrote:
> > /bin/rm file access vulnerability
> >
> > Affected Products:
> >          /bin/rm (all versions, tested on FreeBSD and linux)
> >          (http://www.freebsd.org    http://www.kernel.org)
> >
> > Author:
> >          Xenzeo (Ablazed, Ultralaser, Lennart A. Hansen)
> >          xenzeo at blackhat dot dk
> >
> > /bin/rm is a program that removes the named file arguments on unix
systems.
> > When /bin/rm is called it checks the file's permissions and the id of
the user
> > trying to remove the file. If the user does not have the required
permissions
> > to delete the file, /bin/rm will simply reject and exit.
> >
> > However, it is possible for a person with admin rights (root) to
> > delete _any_ file
> > on the system regardless of who has created it and what it's permissions
are.
> >
> > Proof of concepts:
> > $ touch /home/xenzeo/file
> > $ ls -l /home/xenzeo/file
> > -rw-r--r--  1 xenzeo none 0 Dec 30  2004 /home/xenzeo/file
> > $ id
> > uid=1000(xenzeo) gid=513(none) groups=513(none),545(users)
> > $ su -c 'rm -f /home/xenzeo/file'
> > $ ls -l /home/xenzeo/file
> > ls: file: No such file or directory
> >
> > #!/usr/bin/perl
> > if ($#ARGV != 0) {
> >         die "usage: rm-exploit.pl file\r\n";
> > } else {
> >     $file = $ARGV[0];
> >     print "*** CMD: [ /bin/rm -f $file ]\r\n";
> >     print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
> >     if ($> == 0) {
> >        print "[-] EXECUTING CMD\r\n";
> >        system("/bin/rm -f $file");
> >        print "[-] DONE\r\n";
> >        print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
> >        exit();
> >     } else {
> >        print "[-] EXPLOIT FAILED\r\n";
> >        print "[-] YOU ARE NOT ROOT\r\n";
> >        print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
> >     }
> > }
> >
> > Vender status:
> >          Neither FreeBSD nor Linux developers have been contacted yet!
> >
> > -Xenzeo
> >
> > --
> > ___________________________________________________________
> > Sign-up for Ads Free at Mail.com
> > http://promo.mail.com/adsfreejump.htm
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists