[Vuln-dev Challenge]: Symlink Attack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

**********Vulndev2 Symlink Attack*************                                                                                 

vulndev2.c doesn't create files very securely, as a result it can be used to read/write to files. In this example I'll demonstrate how to read in the first user of a file like /etc/shadow in order to grab the password hash.                                                                                 

I am sure this brings warning lights to peoples heads, for the first user listed in the /etc/shadow file, is generally the root user.                                                                                 

Compile the source as-is and install the binary in your path as SUID root. Take a peek at the perms and make sure everything looks right.                                                                                 

nonpriv@box:~$ ls -al /usr/bin/vulndev2
- -rwsr-xr-x 1 root root 5086 May 24 03:33 /usr/bin/vulndev2
                                                                                

Unless you like tampering with your real /etc/shadow file you'll want to create /etc/shadow.fake and give it 0600 perms. Put a fake user in your shadow.fake file like so on the first line:                                                                                 

root:fake-pass:12002:0:99999:7:::                                                                                 

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Take a peek at /etc/shadow.fake and make sure everything looks legit.                                                                                 

nonpriv@box:~$ ls -al /etc/shadow.fake
- -r-------- 1 root root 34 May 24 04:06 /etc/shadow.fake
                                                                                

Now as a regular user create a symbolic link from ./db.log to /etc/shadow.fake, then simply run the SUID vulndev2 binary and the first line (or first 90 characters, whichever comes first) are read in and spit out.                                                                                 

nonpriv@box:~$ vulndev2 a b
root:fake-pass::12002:0:99999:7:::                                                                                 

Run JtR... bingo!                                                                                 

• -Moeser
• -SolarIce

Greetz: Signal Nine

        Locky

• --

IV. TACTICAL DISPOSITIONS

1. What the ancients called a clever fighter is one who not only wins, but excels in winning with ease.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Sun Tzu "The Art of War" 400-320 B.C.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE+z1Zo+SI9HWArYE4RAvTEAJ9eWQKxbBexWxsQ42sKEyDp0FbMdwCgrxQm e/Nznf/QUVFSLIWpCspSxSE=
=P898
-----END PGP SIGNATURE----- Received on Sat May 24 13:45:12 2003