lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <41D47069.9060205@sdf.lonestar.org>
From: bkfsec at sdf.lonestar.org (bkfsec)
Subject: /bin/rm file access vulnerability

Yeah, I think that someone mistook the new year for April 1st.

Seriously, we seem to be getting more crap like this.  Are people just 
bored? 

             -Barry



J?rg Eschke wrote:

>Sure, a user with admin rights is able to access/delete every local
>file, regardless of the specific filepermissions.
>Your 'exploit' will work with e.g. /bin/cat as well.
>But i can't see a vulnerability anyway.
>
>Am i missunderstanding something ?
>
>Am Do, den 30.12.2004 schrieb Lennart Hansen um 2:18:
>  
>
>>/bin/rm file access vulnerability
>>
>>Affected Products:
>>         /bin/rm (all versions, tested on FreeBSD and linux)
>>         (http://www.freebsd.org    http://www.kernel.org)
>>
>>Author:
>>         Xenzeo (Ablazed, Ultralaser, Lennart A. Hansen)
>>         xenzeo at blackhat dot dk
>>
>>
>>/bin/rm is a program that removes the named file arguments on unix systems.
>>When /bin/rm is called it checks the file's permissions and the id of the user
>>trying to remove the file. If the user does not have the required permissions
>>to delete the file, /bin/rm will simply reject and exit.
>>
>>However, it is possible for a person with admin rights (root) to 
>>delete _any_ file
>>on the system regardless of who has created it and what it's permissions are.
>>
>>Proof of concepts:
>>$ touch /home/xenzeo/file
>>$ ls -l /home/xenzeo/file
>>-rw-r--r--  1 xenzeo none 0 Dec 30  2004 /home/xenzeo/file
>>$ id
>>uid=1000(xenzeo) gid=513(none) groups=513(none),545(users)
>>$ su -c 'rm -f /home/xenzeo/file'
>>$ ls -l /home/xenzeo/file
>>ls: file: No such file or directory
>>
>>#!/usr/bin/perl
>>if ($#ARGV != 0) {
>>	die "usage: rm-exploit.pl file\r\n";
>>} else {
>>    $file = $ARGV[0];
>>    print "*** CMD: [ /bin/rm -f $file ]\r\n";
>>    print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
>>    if ($> == 0) {
>>       print "[-] EXECUTING CMD\r\n";
>>       system("/bin/rm -f $file");
>>       print "[-] DONE\r\n";
>>       print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
>>       exit();
>>    } else {
>>       print "[-] EXPLOIT FAILED\r\n";
>>       print "[-] YOU ARE NOT ROOT\r\n";
>>       print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
>>    }
>>}
>>
>>Vender status:
>>         Neither FreeBSD nor Linux developers have been contacted yet!
>>
>>-Xenzeo
>>    
>>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>  
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ