Vulnerability Development mailing list archives
[Vuln-dev Challenge]: Symlink Attack
From: Steven Hill <steve () covertsystems org>
Date: Sat, 24 May 2003 21:24:16 +1000 (EST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
**********Vulndev2 Symlink Attack*************
vulndev2.c doesn't create files very securely, as a result it can be used
to read/write to files. In this example I'll demonstrate how to read in the
first user of a file like /etc/shadow in order to grab the password hash.
I am sure this brings warning lights to peoples heads, for the first user
listed in the /etc/shadow file, is generally the root user.
Compile the source as-is and install the binary in your path as SUID root.
Take a peek at the perms and make sure everything looks right.
nonpriv@box:~$ ls -al /usr/bin/vulndev2
- -rwsr-xr-x 1 root root 5086 May 24 03:33 /usr/bin/vulndev2
Unless you like tampering with your real /etc/shadow file you'll want to
create /etc/shadow.fake and give it 0600 perms. Put a fake user in your
shadow.fake file like so on the first line:
root:fake-pass:12002:0:99999:7:::
Take a peek at /etc/shadow.fake and make sure everything looks legit.
nonpriv@box:~$ ls -al /etc/shadow.fake
- -r-------- 1 root root 34 May 24 04:06 /etc/shadow.fake
Now as a regular user create a symbolic link from ./db.log to /etc/shadow.fake,
then simply run the SUID vulndev2 binary and the first line (or first 90
characters, whichever comes first) are read in and spit out.
nonpriv@box:~$ vulndev2 a b
root:fake-pass::12002:0:99999:7:::
Run JtR... bingo!
- -Moeser
- -SolarIce
Greetz: Signal Nine
Locky
- --
IV. TACTICAL DISPOSITIONS
11. What the ancients called a clever fighter is
one who not only wins, but excels in winning with ease.
Sun Tzu "The Art of War" 400-320 B.C.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE+z1Zo+SI9HWArYE4RAvTEAJ9eWQKxbBexWxsQ42sKEyDp0FbMdwCgrxQm
e/Nznf/QUVFSLIWpCspSxSE=
=P898
-----END PGP SIGNATURE-----
Current thread:
- [Vuln-dev Challenge]: Symlink Attack Steven Hill (May 24)