Full Disclosure mailing list archives
ALERT ALERT plaintext passwords in linux ALERT ALERT
From: johnpf () atnet net au (John)
Date: Tue, 17 Sep 2002 10:52:09 +1000
This is extremely old. There was an exploit for Linux and Solaris that used this back in 1995 (or earlier). In that case the idea was to get a local user shell, then start looking at kcore. Then try to login as root and grep for the crypted passwd, then feed that string to Jack-the-Ripper. That was when the permissions on kcore were changed so that you cant see all of kcore. There was even a trojaned copy of Slackware floating about that emailed via an anonymiser the root passwd every time passwd was run by root that used this. JPF ppan () hushmail com wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Problem: Linux stores your passwords in plaintext
See proof of concept exploit below
Fix: rm -rf /dev/kmem
Demonstration:
- ---flic---
bash$ ./passcheck.sh secret
checkpass v1.5
Proves that kmem leakes your passwords
Needs to be run as root
By etah^etihw aka peter-pan
Checking for password 'secret'
Binary file /proc/kcore matches
- -flac-
OMG!!!! it matches!!!
Please don't tell anyone my root password because
I cant change it because i deleted the passwd program
because i thougt that it is vulnerable but I
think it was not vulnerable but i cant get it because
I have to port undel.exe to lunix first.
Here is the 0-DAY exploit!
Please do not abuse!!!
- ---click---
#!/bin/bash
# POC exploit
# shows kmem is a fscking leaker!
echo "checkpass v1.5";
echo "proves that kmem leakes your passwords";
echo "needs to be run as root";
echo "by etah^etihw";
echo " ";
echo "checking for password '$1'";
grep $1 /proc/kcore
- ---clack---
(do not forget to make 'chmod +x passcheck.sh'!!)
Greets:
zisss (you are the man bro!!)
drater (mad resopectz to yu0!!)
verb (wuz up? your a.t. owns me ass!!)
jchrist (your dad > *)
regards
Peter Pan
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com
wlkEARECABkFAj2EsMoSHHBwYW5AaHVzaG1haWwuY29tAAoJECqmU44+fV7iPaIAn2pT
NuLBzLYbzXbT/Ked+GXgzcS/AKC2Q4jNv/wsI8bIjJq1yr/luPasGQ==
=93nH
-----END PGP SIGNATURE-----
Get your free encrypted email at https://www.hushmail.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- ALERT ALERT plaintext passwords in linux ALERT ALERT ppan () hushmail com (Sep 15)
- ALERT ALERT plaintext passwords in linux ALERT ALERT Ka (Sep 15)
- ALERT ALERT plaintext passwords in linux ALERT ALERT John (Sep 16)
- <Possible follow-ups>
- ALERT ALERT plaintext passwords in linux ALERT ALERT ppan () hushmail com (Sep 15)
- Re[2]: ALERT ALERT plaintext passwords in linux ALERT ALERT Mikhail Iakovlev (Sep 15)
- Re[2]: ALERT ALERT plaintext passwords in linux ALERT ALERT martin f krafft (Sep 15)
- ALERT ALERT plaintext passwords in linux ALERT ALERT silvio () big net au (Sep 15)
- ALERT ALERT plaintext passwords in linux ALERT ALERT Michal Zalewski (Sep 15)
- ALERT ALERT plaintext passwords in linux ALERT ALERT silvio () big net au (Sep 15)
- Re[2]: ALERT ALERT plaintext passwords in linux ALERT ALERT Mikhail Iakovlev (Sep 15)
- ALERT ALERT plaintext passwords in linux ALERT ALERT Guy Cohen (Sep 15)
- ALERT ALERT plaintext passwords in linux ALERT ALERT White Vampire (Sep 15)