Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-Disclosure] /bin/rm file access vulnerability

from [James Longstreet] Network Security [Permanent Link]
Subject: Re: [Full-Disclosure] /bin/rm file access vulnerability
Date: Thu, 30 Dec 2004 17:40:23 -0600 (CST) 
If I understood him correctly, he's poking fun at my classmate, Jonathan
Rockway, and the vulnerability he discovered in NASM.

In slashdot terms: It's funny.  Laugh.

On Thu, 30 Dec 2004, Jerry wrote:


I have to agree with Shane on this.  The whole point of the admin a.k.a root
user is to have full control over everything.  What's the point of that user
if it can't delete of stop a set process when required if some user orphans
something and can't get it back?

JM
----- Original Message -----
From: "shane milton" <shane.milton@gmail.com>
To: "Lennart Hansen" <xenzeo@gardener.com>
Cc: <full-disclosure@lists.netsys.com>
Sent: Thursday, December 30, 2004 8:45 AM
Subject: Re: [Full-Disclosure] /bin/rm file access vulnerability



However, it is possible for a person with admin rights (root) to
delete _any_ file
on the system regardless of who has created it and what it's permissions

are.


???  Maybe I'm confused.  . . . .but I don't see the problem here.

-Shane



On Wed, 29 Dec 2004 20:18:25 -0500, Lennart Hansen <xenzeo@gardener.com>

wrote:

/bin/rm file access vulnerability

Affected Products:
         /bin/rm (all versions, tested on FreeBSD and linux)
         (http://www.freebsd.org    http://www.kernel.org)

Author:
         Xenzeo (Ablazed, Ultralaser, Lennart A. Hansen)
         xenzeo at blackhat dot dk

/bin/rm is a program that removes the named file arguments on unix

systems.

When /bin/rm is called it checks the file's permissions and the id of

the user

trying to remove the file. If the user does not have the required

permissions

to delete the file, /bin/rm will simply reject and exit.

However, it is possible for a person with admin rights (root) to
delete _any_ file
on the system regardless of who has created it and what it's permissions

are.


Proof of concepts:
$ touch /home/xenzeo/file
$ ls -l /home/xenzeo/file
-rw-r--r--  1 xenzeo none 0 Dec 30  2004 /home/xenzeo/file
$ id
uid=1000(xenzeo) gid=513(none) groups=513(none),545(users)
$ su -c 'rm -f /home/xenzeo/file'
$ ls -l /home/xenzeo/file
ls: file: No such file or directory

#!/usr/bin/perl
if ($#ARGV != 0) {
        die "usage: rm-exploit.pl file\r\n";
} else {
    $file = $ARGV[0];
    print "*** CMD: [ /bin/rm -f $file ]\r\n";
    print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
    if ($> == 0) {
       print "[-] EXECUTING CMD\r\n";
       system("/bin/rm -f $file");
       print "[-] DONE\r\n";
       print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
       exit();
    } else {
       print "[-] EXPLOIT FAILED\r\n";
       print "[-] YOU ARE NOT ROOT\r\n";
       print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
    }
}

Vender status:
         Neither FreeBSD nor Linux developers have been contacted yet!

-Xenzeo

--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Full-Disclosure] Multiple Backdoors found in eEye Products (IRISand SecureIIS), Shunryu Suzuki
Next by Date:  Re: [Full-Disclosure] /bin/rm file access vulnerability, bkfsec
Previous by Thread:  Re: [Full-Disclosure] /bin/rm file access vulnerability, shane milton
Next by Thread:  Re: [Full-Disclosure] /bin/rm file access vulnerability, bkfsec
Indexes:  [Date] [Thread] [Top] [All Lists]