Full Disclosure mailing list archives
Re: Security hole in Confixx backup script
From: Valdis.Kletnieks () vt edu
Date: Mon, 09 Aug 2004 21:26:10 -0400
On Tue, 10 Aug 2004 02:16:24 +0200, Thomas Loch said:
What if someone creates a shell script that simply "cat /etc/shadow" and sets the SetUID flag. Then he makes a backup of that file and restores the backup while he prevents the chown-command anyhow. All files will remain "root". Including the script. The execution of this script will print out the shadowed encrypted passwords. This can even be used to chmod the shadow file and make it readable for everyone
You'd probably have to work a *little* harder than a shell script - most Unixoid systems don't allow the execution of a setUID shell script due to various and sundry race conditions involved (which is why 'suidperl' exists). Other than that, you're on the right track.. ;)
Attachment:
_bin
Description:
Current thread:
- Re: Security hole in Confixx backup script Dirk Pirschel (Aug 02)
- Re: Security hole in Confixx backup script Dirk Pirschel (Aug 09)
- Re: Security hole in Confixx backup script Thomas Loch (Aug 09)
- Re: Security hole in Confixx backup script Valdis . Kletnieks (Aug 09)
- Re: Security hole in Confixx backup script Dirk Pirschel (Aug 10)
- Re: Security hole in Confixx backup script Valdis . Kletnieks (Aug 10)
- Re: Security hole in Confixx backup script Thomas Loch (Aug 10)
- Re: Security hole in Confixx backup script Valdis . Kletnieks (Aug 10)
- Re: Security hole in Confixx backup script Thomas Loch (Aug 09)
- Re: Security hole in Confixx backup script Dirk Pirschel (Aug 10)
- RE: Security hole in Confixx backup script Aditya, ALD [Aditya Lalit Deshmukh] (Aug 10)
- Re: Security hole in Confixx backup script Dirk Pirschel (Aug 09)
- Re: Security hole in Confixx backup script Dirk Pirschel (Aug 13)