Re: [Vuln-dev Challenge] Challenge #2

>
> /* read log */

...and if db.log is perhaps a symlink to /etc/shadow?

I assumed the program would be chown'd to root, and set 4755. If this is an invalid assumption, well, no point in reading any further.

I compiled the program, stopped it after it writing the input log, made a symlink, and resumed running the program, with lovely results:

[tcannon@needle]$ rm db.log
[tcannon@needle]$ ln -s /etc/shadow db.log
[tcannon@needle]$ fg

I like race conditions. No point in wasting your CPU -- that shadowed password did get modified before I sent it to the list :-)

Cheers,

--tcannon

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

PS: Nice strcpy Received on Sat May 24 13:42:52 2003