Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15

Thread: Linux shawoded password file hack

  1. #11
    Member imported_blackfoot's Avatar
    Join Date
    Jun 2007
    Posts
    386

    Default Old fictional thread

    This is presumed to be fiction since the shadow file is a readable table of data not an executable script and normally readable by superuser and certain groups.

    Shadow files may be copied/restored from backup or pwconv.

    I do not know of a case where shadow is executable only.
    Lux sit

  2. #12
    Member
    Join Date
    Jan 2010
    Posts
    159

    Default

    Quote Originally Posted by blackfoot View Post
    This is presumed to be fiction since the shadow file is a readable table of data not an executable script and normally readable by superuser and certain groups.
    Blackfoot has hit this on the head. The exploits leveled against the shadow file are to be able to read it, so as to bruteforce/dictionary attack the passwords. If a privilege escalation could be used by the shadow file, the same technique would work against any file that had similar permissions. Maybe there is a 1 in quadrillion chance that the password hashes actually equaled some sort of "command" but I find that to be so unlikely as only worthy of an amusing thought experiment.

    (Of course, perl does look like a password hash sometimes...)

  3. #13
    Just burned his ISO
    Join Date
    Mar 2009
    Posts
    4

    Default I'd lay down the pwnage

    Reading the spec (its a little ambiguous) the user has rwx on the /etc/passwd file.

    The execute on the shadow is a red herring.

    I would lay down the priv escalation pwnage by editing the /etc/passwd file, and changing my uid to 0

    Im feeling pretty smug right now but since its hypothetical I will not be doing the root dance.

  4. #14
    Member inf_437's Avatar
    Join Date
    Feb 2010
    Posts
    57

    Default

    I have recently suceeded by changing the UID of my user to root and my group also, then I was root when I logged in to my account.

    This was a really "special" linux (Synology Server) distribution so I don't know if that would really work on other distros and I kind of doubt it.

  5. #15
    Just burned his ISO
    Join Date
    Mar 2009
    Posts
    4

    Default

    Its not common, I doubt any modern popular distros are shipped this way.

    I have never seen a writeable /etc/passwd in practice, but if I did then changing UID is effective for privilege escalation purposes.

    A more likely attack is where other files on the operating system are SUID Root, or executed with root privs but are writeable by normal users. The user modifies the file to perform an action of their choice as root (add user/get hashes).

    I have found quite a few local privilege escalations this way on linux/unix systems including stuff by large vendors of very expensive commercial software. These attacks, along with symlink attacks are the way I normally aim to gain root privs once on a linux/unix box if my remote exploit got me to a limited user.

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •