security bug in busybox chown -R
Natanael Copa
natanael.copa at gmail.com
Fri Aug 18 13:58:29 UTC 2006
I have discovered a bug in the chown applet.
The chown -R follows links.
To reproduce/exploit, do this from your non-root account:
ln -s /etc/shadow $HOME/myfile
Then call sysadmin and say:
"Hey.. There are some files owned by root in my home. I can't delete
them. Could you please reset ownership?"
The overworked sysadmin replies: "sure no problems..." while he runs:
chown -R ncopa /home/ncopa
At the same time he press enter he replies: "Now it should be ok".
You take a look at
ls -l /etc/shadow
and say: "Yes, i works now. Thanks!"
--
Natanael Copa
More information about the busybox
mailing list