Old fictional thread
This is presumed to be fiction since the shadow file is a readable table of data not an executable script and normally readable by superuser and certain groups.
Shadow files may be copied/restored from backup or pwconv.
I do not know of a case where shadow is executable only.
Blackfoot has hit this on the head. The exploits leveled against the shadow file are to be able to read it, so as to bruteforce/dictionary attack the passwords. If a privilege escalation could be used by the shadow file, the same technique would work against any file that had similar permissions. Maybe there is a 1 in quadrillion chance that the password hashes actually equaled some sort of "command" but I find that to be so unlikely as only worthy of an amusing thought experiment.
Originally Posted by blackfoot
(Of course, perl does look like a password hash sometimes...)
I'd lay down the pwnage
Reading the spec (its a little ambiguous) the user has rwx on the /etc/passwd file.
The execute on the shadow is a red herring.
I would lay down the priv escalation pwnage by editing the /etc/passwd file, and changing my uid to 0
Im feeling pretty smug right now but since its hypothetical I will not be doing the root dance.
I have recently suceeded by changing the UID of my user to root and my group also, then I was root when I logged in to my account.
This was a really "special" linux (Synology Server) distribution so I don't know if that would really work on other distros and I kind of doubt it.
Its not common, I doubt any modern popular distros are shipped this way.
I have never seen a writeable /etc/passwd in practice, but if I did then changing UID is effective for privilege escalation purposes.
A more likely attack is where other files on the operating system are SUID Root, or executed with root privs but are writeable by normal users. The user modifies the file to perform an action of their choice as root (add user/get hashes).
I have found quite a few local privilege escalations this way on linux/unix systems including stuff by large vendors of very expensive commercial software. These attacks, along with symlink attacks are the way I normally aim to gain root privs once on a linux/unix box if my remote exploit got me to a limited user.