Full Disclosure: Re: Security hole in Confixx backup script

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Full Disclosure mailing list archives

Re: Security hole in Confixx backup script

From: Valdis.Kletnieks () vt edu
Date: Mon, 09 Aug 2004 21:26:10 -0400

On Tue, 10 Aug 2004 02:16:24 +0200, Thomas Loch said:

What if someone creates a shell script that simply "cat /etc/shadow" and sets
the SetUID flag. Then he makes a backup of that file and restores the backup 
while he prevents the chown-command anyhow. All files will remain "root". 
Including the script. The execution of this script will print out the 
shadowed encrypted passwords. This can even be used to chmod the shadow file 
and make it readable for everyone


You'd probably have to work a *little* harder than a shell script - most
Unixoid systems don't allow the execution of a setUID shell script due to
various and sundry race conditions involved (which is why 'suidperl' exists).
Other than that, you're on the right track.. ;)

Attachment: _bin
Description:

By Date By Thread

Current thread:

Re: Security hole in Confixx backup script Dirk Pirschel (Aug 02)
- Re: Security hole in Confixx backup script Dirk Pirschel (Aug 09)
  - Re: Security hole in Confixx backup script Thomas Loch (Aug 09)
    - Re: Security hole in Confixx backup script Valdis . Kletnieks (Aug 09)
    - Re: Security hole in Confixx backup script Dirk Pirschel (Aug 10)
    - Re: Security hole in Confixx backup script Valdis . Kletnieks (Aug 10)
    - Re: Security hole in Confixx backup script Thomas Loch (Aug 10)
    - Re: Security hole in Confixx backup script Valdis . Kletnieks (Aug 10)
    - Re: Security hole in Confixx backup script Dirk Pirschel (Aug 10)