[Vuln-dev Challenge]: Symlink Attack

From: Steven Hill (steve_at_covertsystems.org)
Date: 05/24/03

  • Next message: Joel Eriksson: "Re: [Vuln-dev Challenge] Challenge #2 (SPOILER)" 
    Date: Sat, 24 May 2003 21:24:16 +1000 (EST)
To: vuln-dev <vuln-dev@securityfocus.com>

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    **********Vulndev2 Symlink Attack*************
                                                                                    
    vulndev2.c doesn't create files very securely, as a result it can be used
    to read/write to files. In this example I'll demonstrate how to read in the
    first user of a file like /etc/shadow in order to grab the password hash.
                                                                                    
    I am sure this brings warning lights to peoples heads, for the first user
    listed in the /etc/shadow file, is generally the root user.
                                                                                    
    Compile the source as-is and install the binary in your path as SUID root.
    Take a peek at the perms and make sure everything looks right.
                                                                                    
    nonpriv@box:~$ ls -al /usr/bin/vulndev2
    - -rwsr-xr-x 1 root root 5086 May 24 03:33 /usr/bin/vulndev2
                                                                                    
    Unless you like tampering with your real /etc/shadow file you'll want to
    create /etc/shadow.fake and give it 0600 perms. Put a fake user in your
    shadow.fake file like so on the first line:
                                                                                    
    root:fake-pass:12002:0:99999:7:::
                                                                                    
    Take a peek at /etc/shadow.fake and make sure everything looks legit.
                                                                                    
    nonpriv@box:~$ ls -al /etc/shadow.fake
    - -r-------- 1 root root 34 May 24 04:06 /etc/shadow.fake
                                                                                    
    Now as a regular user create a symbolic link from ./db.log to /etc/shadow.fake,
    then simply run the SUID vulndev2 binary and the first line (or first 90
    characters, whichever comes first) are read in and spit out.
                                                                                    
    nonpriv@box:~$ vulndev2 a b
    root:fake-pass::12002:0:99999:7:::
                                                                                    
    Run JtR... bingo!
                                                                                    
    - -Moeser
    - -SolarIce
                                                                                    
    Greetz: Signal Nine
            Locky

    - --

    IV. TACTICAL DISPOSITIONS

    11. What the ancients called a clever fighter is
        one who not only wins, but excels in winning with ease.

    Sun Tzu "The Art of War" 400-320 B.C.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.2 (GNU/Linux)

    iD8DBQE+z1Zo+SI9HWArYE4RAvTEAJ9eWQKxbBexWxsQ42sKEyDp0FbMdwCgrxQm
    e/Nznf/QUVFSLIWpCspSxSE=
    =P898
    -----END PGP SIGNATURE-----

  • Next message: Joel Eriksson: "Re: [Vuln-dev Challenge] Challenge #2 (SPOILER)"