[Full-Disclosure] /bin/rm file access vulnerability

bkfsec bkfsec at sdf.lonestar.org
Thu Dec 30 21:17:29 GMT 2004 

Yeah, I think that someone mistook the new year for April 1st.

Seriously, we seem to be getting more crap like this.  Are people just 
bored? 

             -Barry



Jörg Eschke wrote:

>Sure, a user with admin rights is able to access/delete every local
>file, regardless of the specific filepermissions.
>Your 'exploit' will work with e.g. /bin/cat as well.
>But i can't see a vulnerability anyway.
>
>Am i missunderstanding something ?
>
>Am Do, den 30.12.2004 schrieb Lennart Hansen um 2:18:
>  
>
>>/bin/rm file access vulnerability
>>
>>Affected Products:
>>         /bin/rm (all versions, tested on FreeBSD and linux)
>>         (http://www.freebsd.org    http://www.kernel.org)
>>
>>Author:
>>         Xenzeo (Ablazed, Ultralaser, Lennart A. Hansen)
>>         xenzeo at blackhat dot dk
>>
>>
>>/bin/rm is a program that removes the named file arguments on unix systems.
>>When /bin/rm is called it checks the file's permissions and the id of the user
>>trying to remove the file. If the user does not have the required permissions
>>to delete the file, /bin/rm will simply reject and exit.
>>
>>However, it is possible for a person with admin rights (root) to 
>>delete _any_ file
>>on the system regardless of who has created it and what it's permissions are.
>>
>>Proof of concepts:
>>$ touch /home/xenzeo/file
>>$ ls -l /home/xenzeo/file
>>-rw-r--r--  1 xenzeo none 0 Dec 30  2004 /home/xenzeo/file
>>$ id
>>uid=1000(xenzeo) gid=513(none) groups=513(none),545(users)
>>$ su -c 'rm -f /home/xenzeo/file'
>>$ ls -l /home/xenzeo/file
>>ls: file: No such file or directory
>>
>>#!/usr/bin/perl
>>if ($#ARGV != 0) {
>>	die "usage: rm-exploit.pl file\r\n";
>>} else {
>>    $file = $ARGV[0];
>>    print "*** CMD: [ /bin/rm -f $file ]\r\n";
>>    print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
>>    if ($> == 0) {
>>       print "[-] EXECUTING CMD\r\n";
>>       system("/bin/rm -f $file");
>>       print "[-] DONE\r\n";
>>       print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
>>       exit();
>>    } else {
>>       print "[-] EXPLOIT FAILED\r\n";
>>       print "[-] YOU ARE NOT ROOT\r\n";
>>       print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
>>    }
>>}
>>
>>Vender status:
>>         Neither FreeBSD nor Linux developers have been contacted yet!
>>
>>-Xenzeo
>>    
>>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>  
>

Full-Disclosure is hosted and sponsored by Secunia.