Full Disclosure mailing list archives
Re: /bin/rm file access vulnerability
From: James Longstreet <jlongs2 () uic edu>
Date: Thu, 30 Dec 2004 17:40:23 -0600 (CST)
If I understood him correctly, he's poking fun at my classmate, Jonathan Rockway, and the vulnerability he discovered in NASM. In slashdot terms: It's funny. Laugh. On Thu, 30 Dec 2004, Jerry wrote:
I have to agree with Shane on this. The whole point of the admin a.k.a root user is to have full control over everything. What's the point of that user if it can't delete of stop a set process when required if some user orphans something and can't get it back? JM ----- Original Message ----- From: "shane milton" <shane.milton () gmail com> To: "Lennart Hansen" <xenzeo () gardener com> Cc: <full-disclosure () lists netsys com> Sent: Thursday, December 30, 2004 8:45 AM Subject: Re: [Full-disclosure] /bin/rm file access vulnerabilityHowever, it is possible for a person with admin rights (root) to delete _any_ file on the system regardless of who has created it and what it's permissionsare.??? Maybe I'm confused. . . . .but I don't see the problem here. -Shane On Wed, 29 Dec 2004 20:18:25 -0500, Lennart Hansen <xenzeo () gardener com>wrote:/bin/rm file access vulnerability Affected Products: /bin/rm (all versions, tested on FreeBSD and linux) (http://www.freebsd.org http://www.kernel.org) Author: Xenzeo (Ablazed, Ultralaser, Lennart A. Hansen) xenzeo at blackhat dot dk /bin/rm is a program that removes the named file arguments on unixsystems.When /bin/rm is called it checks the file's permissions and the id ofthe usertrying to remove the file. If the user does not have the requiredpermissionsto delete the file, /bin/rm will simply reject and exit. However, it is possible for a person with admin rights (root) to delete _any_ file on the system regardless of who has created it and what it's permissionsare.Proof of concepts: $ touch /home/xenzeo/file $ ls -l /home/xenzeo/file -rw-r--r-- 1 xenzeo none 0 Dec 30 2004 /home/xenzeo/file $ id uid=1000(xenzeo) gid=513(none) groups=513(none),545(users) $ su -c 'rm -f /home/xenzeo/file' $ ls -l /home/xenzeo/file ls: file: No such file or directory #!/usr/bin/perl if ($#ARGV != 0) { die "usage: rm-exploit.pl file\r\n"; } else { $file = $ARGV[0]; print "*** CMD: [ /bin/rm -f $file ]\r\n"; print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n"; if ($> == 0) { print "[-] EXECUTING CMD\r\n"; system("/bin/rm -f $file"); print "[-] DONE\r\n"; print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n"; exit(); } else { print "[-] EXPLOIT FAILED\r\n"; print "[-] YOU ARE NOT ROOT\r\n"; print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n"; } } Vender status: Neither FreeBSD nor Linux developers have been contacted yet! -Xenzeo -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: /bin/rm file access vulnerability bkfsec (Dec 31)
- Re: /bin/rm file access vulnerability J.A. Terranson (Jan 06)
- Re: /bin/rm file access vulnerability bkfsec (Jan 06)
- <Possible follow-ups>
- Re: /bin/rm file access vulnerability Sean Harlow (Dec 31)
- Re: /bin/rm file access vulnerability vh (Jan 06)
- Re: /bin/rm file access vulnerability Jeffrey Denton (Dec 31)
- Re: /bin/rm file access vulnerability Frank Knobbe (Jan 02)
- Re: /bin/rm file access vulnerability vh (Jan 06)
- Re: /bin/rm file access vulnerability J.A. Terranson (Jan 06)
- Re: /bin/rm file access vulnerability Jerry (Jan 03)
- Re: /bin/rm file access vulnerability James Longstreet (Jan 01)
- Re: /bin/rm file access vulnerability Valdis . Kletnieks (Jan 04)
- Re: /bin/rm file access vulnerability Alex V. Lukyanenko (Jan 03)