Re: [Full-Disclosure] /bin/rm file access vulnerability

From: James Longstreet (jlongs2_at_uic.edu)
Date: 12/31/04

  • Next message: Daniel H. Renner: "Re: [Full-Disclosure] Multiple Backdoors found in eEye Products (IRIS and SecureIIS)" 
    Date: Thu, 30 Dec 2004 17:40:23 -0600 (CST)
To: Jerry <j.mosher@sympatico.ca>

    If I understood him correctly, he's poking fun at my classmate, Jonathan
    Rockway, and the vulnerability he discovered in NASM.

    In slashdot terms: It's funny. Laugh.

    On Thu, 30 Dec 2004, Jerry wrote:

    > I have to agree with Shane on this. The whole point of the admin a.k.a root
    > user is to have full control over everything. What's the point of that user
    > if it can't delete of stop a set process when required if some user orphans
    > something and can't get it back?
    >
    > JM
    > ----- Original Message -----
    > From: "shane milton" <shane.milton@gmail.com>
    > To: "Lennart Hansen" <xenzeo@gardener.com>
    > Cc: <full-disclosure@lists.netsys.com>
    > Sent: Thursday, December 30, 2004 8:45 AM
    > Subject: Re: [Full-Disclosure] /bin/rm file access vulnerability
    >
    >
    > > > However, it is possible for a person with admin rights (root) to
    > > > delete _any_ file
    > > > on the system regardless of who has created it and what it's permissions
    > are.
    > >
    > > ??? Maybe I'm confused. . . . .but I don't see the problem here.
    > >
    > > -Shane
    > >
    > >
    > >
    > > On Wed, 29 Dec 2004 20:18:25 -0500, Lennart Hansen <xenzeo@gardener.com>
    > wrote:
    > > > /bin/rm file access vulnerability
    > > >
    > > > Affected Products:
    > > > /bin/rm (all versions, tested on FreeBSD and linux)
    > > > (http://www.freebsd.org http://www.kernel.org)
    > > >
    > > > Author:
    > > > Xenzeo (Ablazed, Ultralaser, Lennart A. Hansen)
    > > > xenzeo at blackhat dot dk
    > > >
    > > > /bin/rm is a program that removes the named file arguments on unix
    > systems.
    > > > When /bin/rm is called it checks the file's permissions and the id of
    > the user
    > > > trying to remove the file. If the user does not have the required
    > permissions
    > > > to delete the file, /bin/rm will simply reject and exit.
    > > >
    > > > However, it is possible for a person with admin rights (root) to
    > > > delete _any_ file
    > > > on the system regardless of who has created it and what it's permissions
    > are.
    > > >
    > > > Proof of concepts:
    > > > $ touch /home/xenzeo/file
    > > > $ ls -l /home/xenzeo/file
    > > > -rw-r--r-- 1 xenzeo none 0 Dec 30 2004 /home/xenzeo/file
    > > > $ id
    > > > uid=1000(xenzeo) gid=513(none) groups=513(none),545(users)
    > > > $ su -c 'rm -f /home/xenzeo/file'
    > > > $ ls -l /home/xenzeo/file
    > > > ls: file: No such file or directory
    > > >
    > > > #!/usr/bin/perl
    > > > if ($#ARGV != 0) {
    > > > die "usage: rm-exploit.pl file\r\n";
    > > > } else {
    > > > $file = $ARGV[0];
    > > > print "*** CMD: [ /bin/rm -f $file ]\r\n";
    > > > print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
    > > > if ($> == 0) {
    > > > print "[-] EXECUTING CMD\r\n";
    > > > system("/bin/rm -f $file");
    > > > print "[-] DONE\r\n";
    > > > print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
    > > > exit();
    > > > } else {
    > > > print "[-] EXPLOIT FAILED\r\n";
    > > > print "[-] YOU ARE NOT ROOT\r\n";
    > > > print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
    > > > }
    > > > }
    > > >
    > > > Vender status:
    > > > Neither FreeBSD nor Linux developers have been contacted yet!
    > > >
    > > > -Xenzeo
    > > >
    > > > --
    > > > ___________________________________________________________
    > > > Sign-up for Ads Free at Mail.com
    > > > http://promo.mail.com/adsfreejump.htm
    > > >
    > > > _______________________________________________
    > > > Full-Disclosure - We believe in it.
    > > > Charter: http://lists.netsys.com/full-disclosure-charter.html
    > > >
    > > _______________________________________________
    > > Full-Disclosure - We believe in it.
    > > Charter: http://lists.netsys.com/full-disclosure-charter.html
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html
    >
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Daniel H. Renner: "Re: [Full-Disclosure] Multiple Backdoors found in eEye Products (IRIS and SecureIIS)"

    Relevant Pages

    • Bernard Mannings auto-obituary
      ... About as funny as a funeral... ... The one bad thing about dying quietly in Manchester is that I cannot ... there's not a laugh to be had anywhere). ... a smile, after a Royal Command Performance, how much she liked my act. ...
      (uk.media.tv.misc)
    • Re: What Beatles song would you choose to be the national anthem for Iran?
      ... It reeks of agenda. ... Regarding the two videos in the Obama-san thread... ... The first is funny because it is using asian sterotypes. ... I LIKE to laugh, I LIKE some childish humor sometimes. ...
      (rec.music.beatles)
    • Re: The "LOT" in "It Takes A Lot To Laugh, It Takes A Train To cry"
      ... land, a plot of land, an acre or a hectare that makes them laugh? ... Deal To Laugh, but that wouldn't have been as funny. ... Maybe it was the wines: ...
      (rec.music.dylan)
    • Re: OT ~ Please dont ever be this dumb...
      ... I turn to the funny pages for wisdom and the editorial ... David, Bueller? ... It's never tried to be topical or laugh out ...
      (rec.arts.tv.soaps.cbs)
    • Re: "As God is my witness"
      ... We laugh precisely because it's not good territory. ... I think the movie scene I find the funniest is in Woody Allen's "Bananas" ... It's funny because I know it's not real. ... could be so stupid as to think a turkey drop would work, ...
      (rec.arts.tv)