Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: /bin/rm file access vulnerability

From: James Longstreet <jlongs2 () uic edu>
Date: Thu, 30 Dec 2004 17:40:23 -0600 (CST)
If I understood him correctly, he's poking fun at my classmate, Jonathan
Rockway, and the vulnerability he discovered in NASM.

In slashdot terms: It's funny.  Laugh.

On Thu, 30 Dec 2004, Jerry wrote:


I have to agree with Shane on this.  The whole point of the admin a.k.a root
user is to have full control over everything.  What's the point of that user
if it can't delete of stop a set process when required if some user orphans
something and can't get it back?

JM
----- Original Message -----
From: "shane milton" <shane.milton () gmail com>
To: "Lennart Hansen" <xenzeo () gardener com>
Cc: <full-disclosure () lists netsys com>
Sent: Thursday, December 30, 2004 8:45 AM
Subject: Re: [Full-disclosure] /bin/rm file access vulnerability



However, it is possible for a person with admin rights (root) to
delete _any_ file
on the system regardless of who has created it and what it's permissions

are.


???  Maybe I'm confused.  . . . .but I don't see the problem here.

-Shane



On Wed, 29 Dec 2004 20:18:25 -0500, Lennart Hansen <xenzeo () gardener com>

wrote:

/bin/rm file access vulnerability

Affected Products:
         /bin/rm (all versions, tested on FreeBSD and linux)
         (http://www.freebsd.org    http://www.kernel.org)

Author:
         Xenzeo (Ablazed, Ultralaser, Lennart A. Hansen)
         xenzeo at blackhat dot dk

/bin/rm is a program that removes the named file arguments on unix

systems.

When /bin/rm is called it checks the file's permissions and the id of

the user

trying to remove the file. If the user does not have the required

permissions

to delete the file, /bin/rm will simply reject and exit.

However, it is possible for a person with admin rights (root) to
delete _any_ file
on the system regardless of who has created it and what it's permissions

are.


Proof of concepts:
$ touch /home/xenzeo/file
$ ls -l /home/xenzeo/file
-rw-r--r--  1 xenzeo none 0 Dec 30  2004 /home/xenzeo/file
$ id
uid=1000(xenzeo) gid=513(none) groups=513(none),545(users)
$ su -c 'rm -f /home/xenzeo/file'
$ ls -l /home/xenzeo/file
ls: file: No such file or directory

#!/usr/bin/perl
if ($#ARGV != 0) {
        die "usage: rm-exploit.pl file\r\n";
} else {
    $file = $ARGV[0];
    print "*** CMD: [ /bin/rm -f $file ]\r\n";
    print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
    if ($> == 0) {
       print "[-] EXECUTING CMD\r\n";
       system("/bin/rm -f $file");
       print "[-] DONE\r\n";
       print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
       exit();
    } else {
       print "[-] EXPLOIT FAILED\r\n";
       print "[-] YOU ARE NOT ROOT\r\n";
       print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
    }
}

Vender status:
         Neither FreeBSD nor Linux developers have been contacted yet!

-Xenzeo

--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: