| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: jlongs2 at uic.edu (James Longstreet)
Subject: /bin/rm file access vulnerability
If I understood him correctly, he's poking fun at my classmate, Jonathan
Rockway, and the vulnerability he discovered in NASM.
In slashdot terms: It's funny. Laugh.
On Thu, 30 Dec 2004, Jerry wrote:
> I have to agree with Shane on this. The whole point of the admin a.k.a root
> user is to have full control over everything. What's the point of that user
> if it can't delete of stop a set process when required if some user orphans
> something and can't get it back?
>
> JM
> ----- Original Message -----
> From: "shane milton" <shane.milton@...il.com>
> To: "Lennart Hansen" <xenzeo@...dener.com>
> Cc: <full-disclosure@...ts.netsys.com>
> Sent: Thursday, December 30, 2004 8:45 AM
> Subject: Re: [Full-Disclosure] /bin/rm file access vulnerability
>
>
> > > However, it is possible for a person with admin rights (root) to
> > > delete _any_ file
> > > on the system regardless of who has created it and what it's permissions
> are.
> >
> > ??? Maybe I'm confused. . . . .but I don't see the problem here.
> >
> > -Shane
> >
> >
> >
> > On Wed, 29 Dec 2004 20:18:25 -0500, Lennart Hansen <xenzeo@...dener.com>
> wrote:
> > > /bin/rm file access vulnerability
> > >
> > > Affected Products:
> > > /bin/rm (all versions, tested on FreeBSD and linux)
> > > (http://www.freebsd.org http://www.kernel.org)
> > >
> > > Author:
> > > Xenzeo (Ablazed, Ultralaser, Lennart A. Hansen)
> > > xenzeo at blackhat dot dk
> > >
> > > /bin/rm is a program that removes the named file arguments on unix
> systems.
> > > When /bin/rm is called it checks the file's permissions and the id of
> the user
> > > trying to remove the file. If the user does not have the required
> permissions
> > > to delete the file, /bin/rm will simply reject and exit.
> > >
> > > However, it is possible for a person with admin rights (root) to
> > > delete _any_ file
> > > on the system regardless of who has created it and what it's permissions
> are.
> > >
> > > Proof of concepts:
> > > $ touch /home/xenzeo/file
> > > $ ls -l /home/xenzeo/file
> > > -rw-r--r-- 1 xenzeo none 0 Dec 30 2004 /home/xenzeo/file
> > > $ id
> > > uid=1000(xenzeo) gid=513(none) groups=513(none),545(users)
> > > $ su -c 'rm -f /home/xenzeo/file'
> > > $ ls -l /home/xenzeo/file
> > > ls: file: No such file or directory
> > >
> > > #!/usr/bin/perl
> > > if ($#ARGV != 0) {
> > > die "usage: rm-exploit.pl file\r\n";
> > > } else {
> > > $file = $ARGV[0];
> > > print "*** CMD: [ /bin/rm -f $file ]\r\n";
> > > print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
> > > if ($> == 0) {
> > > print "[-] EXECUTING CMD\r\n";
> > > system("/bin/rm -f $file");
> > > print "[-] DONE\r\n";
> > > print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
> > > exit();
> > > } else {
> > > print "[-] EXPLOIT FAILED\r\n";
> > > print "[-] YOU ARE NOT ROOT\r\n";
> > > print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
> > > }
> > > }
> > >
> > > Vender status:
> > > Neither FreeBSD nor Linux developers have been contacted yet!
> > >
> > > -Xenzeo
> > >
> > > --
> > > ___________________________________________________________
> > > Sign-up for Ads Free at Mail.com
> > > http://promo.mail.com/adsfreejump.htm
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> > >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists