-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 **********Vulndev2 Symlink Attack************* vulndev2.c doesn't create files very securely, as a result it can be used to read/write to files. In this example I'll demonstrate how to read in the first user of a file like /etc/shadow in order to grab the password hash. I am sure this brings warning lights to peoples heads, for the first user listed in the /etc/shadow file, is generally the root user. Compile the source as-is and install the binary in your path as SUID root. Take a peek at the perms and make sure everything looks right. nonpriv@box:~$ ls -al /usr/bin/vulndev2 - -rwsr-xr-x 1 root root 5086 May 24 03:33 /usr/bin/vulndev2 Unless you like tampering with your real /etc/shadow file you'll want to create /etc/shadow.fake and give it 0600 perms. Put a fake user in your shadow.fake file like so on the first line: root:fake-pass:12002:0:99999:7::: Take a peek at /etc/shadow.fake and make sure everything looks legit. nonpriv@box:~$ ls -al /etc/shadow.fake - -r-------- 1 root root 34 May 24 04:06 /etc/shadow.fake Now as a regular user create a symbolic link from ./db.log to /etc/shadow.fake, then simply run the SUID vulndev2 binary and the first line (or first 90 characters, whichever comes first) are read in and spit out. nonpriv@box:~$ vulndev2 a b root:fake-pass::12002:0:99999:7::: Run JtR... bingo! - -Moeser - -SolarIce Greetz: Signal Nine Locky - -- IV. TACTICAL DISPOSITIONS 11. What the ancients called a clever fighter is one who not only wins, but excels in winning with ease. Sun Tzu "The Art of War" 400-320 B.C. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+z1Zo+SI9HWArYE4RAvTEAJ9eWQKxbBexWxsQ42sKEyDp0FbMdwCgrxQm e/Nznf/QUVFSLIWpCspSxSE= =P898 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Sat May 24 2003 - 10:41:17 PDT