I'm looking for a vulnerability on a server. I'm looking in the /var
directory and I get something like this:
drwxr-xr-x 3 root root 4.0K Aug 14 21:02 kerberos
drwxr-xr-x 12 root root 4.0K Nov 11 05:04 lib
drwxr-xr-x 2 root root 4.0K Jun 10 2014 local
lrwxrwxrwx 1 root root 11 Aug 14 21:00 lock -> ../run/lock <-- CHECK THIS
drwxr-xr-x 3 root root 4.0K Aug 14 21:05 log
lrwxrwxrwx 1 root root 10 Aug 14 21:00 mail -> spool/mail
drwxr-xr-x 2 root root 4.0K Jun 10 2014 nis
drwxr-xr-x 2 root root 4.0K Jun 10 2014 opt
drwxr-xr-x 2 root root 4.0K Jun 10 2014 preserve
lrwxrwxrwx 1 root root 6 Aug 14 21:00 run -> ../run
drwxr-xr-x 4 root root 4.0K Aug 14 21:00 spool
If I look at the permissions of the lock
"file" I see that the permissions for others is rwx
. I suppose it is therefore possible for another user who is not the owner (root in this case), to read, execute and write this "file", so I check what kind of file lock
is:
file lock
lock: broken symbolic link to `../run/lock'
stat lock
File: ‘lock’ -> ‘../run/lock’
Size: 11 Blocks: 0 IO Block: 4096 symbolic link
Device: fb01h/64257d Inode: 6424574 Links: 1
Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2015-11-14 00:18:52.218518690 +0000
Modify: 2015-08-14 21:00:52.000000000 +0000
Change: 2015-11-11 04:56:35.543404826 +0000
Birth: -
According to this information, is it possible to get root, use this permission to access other information or execute commands?
For instance I tried:
echo "ls /etc" >> lock
But I get Permission denied
.
Some questions:
Is my interpretation about the lock permissions correct?
Can I do something to get an advantage with this broken symlink?
What kind of questions must be ask with this broken symlink?