Message-ID: <Pine.A41.4.58.0412301738500.351644@tigger.cc.uic.edu>
From: jlongs2 at uic.edu (James Longstreet)
Subject: /bin/rm file access vulnerability

If I understood him correctly, he's poking fun at my classmate, Jonathan
Rockway, and the vulnerability he discovered in NASM.

In slashdot terms: It's funny.  Laugh.

On Thu, 30 Dec 2004, Jerry wrote:

> I have to agree with Shane on this.  The whole point of the admin a.k.a root
> user is to have full control over everything.  What's the point of that user
> if it can't delete of stop a set process when required if some user orphans
> something and can't get it back?
>
> JM
> ----- Original Message -----
> From: "shane milton" <shane.milton@...il.com>
> To: "Lennart Hansen" <xenzeo@...dener.com>
> Cc: <full-disclosure@...ts.netsys.com>
> Sent: Thursday, December 30, 2004 8:45 AM
> Subject: Re: [Full-Disclosure] /bin/rm file access vulnerability
>
>
> > > However, it is possible for a person with admin rights (root) to
> > > delete _any_ file
> > > on the system regardless of who has created it and what it's permissions
> are.
> >
> > ???  Maybe I'm confused.  . . . .but I don't see the problem here.
> >
> > -Shane
> >
> >
> >
> > On Wed, 29 Dec 2004 20:18:25 -0500, Lennart Hansen <xenzeo@...dener.com>
> wrote:
> > > /bin/rm file access vulnerability
> > >
> > > Affected Products:
> > >          /bin/rm (all versions, tested on FreeBSD and linux)
> > >          (http://www.freebsd.org    http://www.kernel.org)
> > >
> > > Author:
> > >          Xenzeo (Ablazed, Ultralaser, Lennart A. Hansen)
> > >          xenzeo at blackhat dot dk
> > >
> > > /bin/rm is a program that removes the named file arguments on unix
> systems.
> > > When /bin/rm is called it checks the file's permissions and the id of
> the user
> > > trying to remove the file. If the user does not have the required
> permissions
> > > to delete the file, /bin/rm will simply reject and exit.
> > >
> > > However, it is possible for a person with admin rights (root) to
> > > delete _any_ file
> > > on the system regardless of who has created it and what it's permissions
> are.
> > >
> > > Proof of concepts:
> > > $ touch /home/xenzeo/file
> > > $ ls -l /home/xenzeo/file
> > > -rw-r--r--  1 xenzeo none 0 Dec 30  2004 /home/xenzeo/file
> > > $ id
> > > uid=1000(xenzeo) gid=513(none) groups=513(none),545(users)
> > > $ su -c 'rm -f /home/xenzeo/file'
> > > $ ls -l /home/xenzeo/file
> > > ls: file: No such file or directory
> > >
> > > #!/usr/bin/perl
> > > if ($#ARGV != 0) {
> > >         die "usage: rm-exploit.pl file\r\n";
> > > } else {
> > >     $file = $ARGV[0];
> > >     print "*** CMD: [ /bin/rm -f $file ]\r\n";
> > >     print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
> > >     if ($> == 0) {
> > >        print "[-] EXECUTING CMD\r\n";
> > >        system("/bin/rm -f $file");
> > >        print "[-] DONE\r\n";
> > >        print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
> > >        exit();
> > >     } else {
> > >        print "[-] EXPLOIT FAILED\r\n";
> > >        print "[-] YOU ARE NOT ROOT\r\n";
> > >        print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
> > >     }
> > > }
> > >
> > > Vender status:
> > >          Neither FreeBSD nor Linux developers have been contacted yet!
> > >
> > > -Xenzeo
> > >
> > > --
> > > ___________________________________________________________
> > > Sign-up for Ads Free at Mail.com
> > > http://promo.mail.com/adsfreejump.htm
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> > >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists