| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <007d01c4ee8f$ef38fd40$030a0a0a@captainwill>
From: j.mosher at sympatico.ca (Jerry)
Subject: /bin/rm file access vulnerability
I have to agree with Shane on this. The whole point of the admin a.k.a root
user is to have full control over everything. What's the point of that user
if it can't delete of stop a set process when required if some user orphans
something and can't get it back?
JM
----- Original Message -----
From: "shane milton" <shane.milton@...il.com>
To: "Lennart Hansen" <xenzeo@...dener.com>
Cc: <full-disclosure@...ts.netsys.com>
Sent: Thursday, December 30, 2004 8:45 AM
Subject: Re: [Full-Disclosure] /bin/rm file access vulnerability
> > However, it is possible for a person with admin rights (root) to
> > delete _any_ file
> > on the system regardless of who has created it and what it's permissions
are.
>
> ??? Maybe I'm confused. . . . .but I don't see the problem here.
>
> -Shane
>
>
>
> On Wed, 29 Dec 2004 20:18:25 -0500, Lennart Hansen <xenzeo@...dener.com>
wrote:
> > /bin/rm file access vulnerability
> >
> > Affected Products:
> > /bin/rm (all versions, tested on FreeBSD and linux)
> > (http://www.freebsd.org http://www.kernel.org)
> >
> > Author:
> > Xenzeo (Ablazed, Ultralaser, Lennart A. Hansen)
> > xenzeo at blackhat dot dk
> >
> > /bin/rm is a program that removes the named file arguments on unix
systems.
> > When /bin/rm is called it checks the file's permissions and the id of
the user
> > trying to remove the file. If the user does not have the required
permissions
> > to delete the file, /bin/rm will simply reject and exit.
> >
> > However, it is possible for a person with admin rights (root) to
> > delete _any_ file
> > on the system regardless of who has created it and what it's permissions
are.
> >
> > Proof of concepts:
> > $ touch /home/xenzeo/file
> > $ ls -l /home/xenzeo/file
> > -rw-r--r-- 1 xenzeo none 0 Dec 30 2004 /home/xenzeo/file
> > $ id
> > uid=1000(xenzeo) gid=513(none) groups=513(none),545(users)
> > $ su -c 'rm -f /home/xenzeo/file'
> > $ ls -l /home/xenzeo/file
> > ls: file: No such file or directory
> >
> > #!/usr/bin/perl
> > if ($#ARGV != 0) {
> > die "usage: rm-exploit.pl file\r\n";
> > } else {
> > $file = $ARGV[0];
> > print "*** CMD: [ /bin/rm -f $file ]\r\n";
> > print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
> > if ($> == 0) {
> > print "[-] EXECUTING CMD\r\n";
> > system("/bin/rm -f $file");
> > print "[-] DONE\r\n";
> > print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
> > exit();
> > } else {
> > print "[-] EXPLOIT FAILED\r\n";
> > print "[-] YOU ARE NOT ROOT\r\n";
> > print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
> > }
> > }
> >
> > Vender status:
> > Neither FreeBSD nor Linux developers have been contacted yet!
> >
> > -Xenzeo
> >
> > --
> > ___________________________________________________________
> > Sign-up for Ads Free at Mail.com
> > http://promo.mail.com/adsfreejump.htm
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists