Re: local exploit for "/ect/shadow"

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 04/06/02 

From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
Date: Sat, 6 Apr 2002 08:03:26 +0000 (UTC)

< Dimitri Maziuk
>begin 666 RainbowHat:
>>< Nico Kadel-Garcia
>>>"RainbowHat" <nHiATlE@blSackholeP.mAit.edMu.invalid> wrote in message
>>>news:PP7R6F0XWP-nHiATlE@blackhole.mit.edu...
>>>>
>>>> grep :0:0: /etc/passwd | grep -v ^root:
>>>
>>> grep ':0:' /etc/passwd /etc/shadow
>
>There's plenty of ':0:'s in /etc/shadow, in password
>aging fields.

Agreed.

>>>Examine the results by hand for oddness.

Imagine the results that OP will believe your command is correct and
post the results of running your command. And OP maybe newbie who don't
know to sanitize or spoof the encrypted hashed part in /etc/shadow. I
can't post the results without sanitizing. Could you post the results
of your command running your out face server without sanitizing?

>> Yes, I thought it first but it's very dangerous. If this is a PGP-ed
>> mail or virtual pure technical discussion, you are correct but Usenet
>> is public and there are potential attackers lurking and OP looks for
>> me newbie. I respected security and privacy of OP because I'm not a
>> social engineer. I like so called "simple" but this is why I
>> complicated it.
>
>1) So what happens if I create an account with uid 0 and
>primary group != 0, again ?

I had known that. Please see [1] below.

>2) So run
>if [ `grep ':0:' /etc/passwd | wc -l` -gt 1 ]; then
> echo "Aiiieeee"
>fi
>if you don't want to see the actual accounts. Sheesh.

Counting the lines is very good idea. Thanks. But;

[1] AFAIK most distributions has regular default accounts who have
uid!=0 and gid=0 (example: shutdown:*:123:0: ... ). So above your
script will say error every time.

[2] If attacker delete regular account root and s/he append r00t
account uid=0 and gid=0, your script can't detect.

I'm thinking the solutions now. I'll post here later. 

-- 
Best Regards, RainbowHat. I support FULL DISCLOSURE.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7

Relevant Pages

  • Re: [kde] exporting from kmail (Was: Kmail2/Akonadi issue on FreeBSD.)
    ... script send it a check mail command. ... I'm not aware of a dbus command for it -- that doesn't mean it doesn't ... but of course this setup was implemented long before dbus ... and that's the current account unless you've changed to a different one. ...
    (KDE)
  • Re: [opensuse] Post installation queries (FIRST successful installation of Linux)
    ... The easiest way to manage users on opensuse is with yast. ... You can also do the same with the command line commands of: useradd userdel and usermod. ... -c comment Set the GECOS field for the new account ... One more note -- and I hate this about the recent openSuSE installs -- you must tell the installer to set a traditional root account and password during setup or it just creates a 'Super User' out of the user account used during install. ...
    (SuSE)
  • Re: exempt a machine from a group policy
    ... The computer name in an ACL normally only gets used when there is an attempt ... implicity authorize Modify access by the machine account. ... the script is NOT executed *by* a machine. ...
    (microsoft.public.windows.group_policy)
  • Re: Populate email attribute in AD
    ... I have other OUs where I would like to use this script as well so ... it would be preferable to pass the OU LDAP path as a command line argument. ... >> I do not have to use the CSV file. ... >> If the script encounters a blank username field it will skip that account, ...
    (microsoft.public.windows.server.scripting)
  • Re: problem with login
    ... login session" after I create their account. ... If your script is using the mkuser command, ...
    (comp.unix.aix)