| Author |
Possible exploit? |
scobe
Member
Posts: 97
Location: behind you!
Joined: 12.09.05
Rank: Active User |
|
Something interesting happened to me today. I log onto a Fedora8 terminal remotely to do the majority of my work using VNC. While I was working the contents of a flash drive opened to me randomly. I found out later that a person who was physically at the terminal had plugged in their thumb drive and some how this triggers every one logged onto the terminal to see the contents of the drive.
Here's the interesting part... I noticed that I had full permissions of the drive and everything in it (including execute).
Consider...
Would it be possible to make a thumb drive containing an autorun.sh with the following contents
cp /etc/shadow /home/ME/
chown ME /home/ME/shadow
It works on my old suse box but I'm not sure if gnome has been updated to stop this from happening. I'm assuming that this is happening because of a gnome scblockedript but I don't have access to these folders.
Any knowledge is greatly appreciated.
-Scobe
EDIT:
Will JTR work on shadow? I've never messed with linux passwords.
http://scobe.homeunix.com
Edited by scobe on 23-03-09 23:29 |
 
|
| Author |
RE: Possible exploit? |
Uber0n
Member
Posts: 1963
Location: Sweden
Joined: 13.06.06
Rank: God |
|
There's only one way to find out if this works  don't forget to post your results here if you try it out!
http://uber0n.webs.com/ |
|
| Author |
RE: Possible exploit? |
clone4
Member
Posts: 586
Location: He is back and he's bad!
Joined: 25.11.07
Rank: God |
|
scobe wrote:
Something interesting happened to me today. I log onto a Fedora8 terminal remotely to do the majority of my work using VNC. While I was working the contents of a flash drive opened to me randomly. I found out later that a person who was physically at the terminal had plugged in their thumb drive and some how this triggers every one logged onto the terminal to see the contents of the drive.
Here's the interesting part... I noticed that I had full permissions of the drive and everything in it (including execute).
Consider...
Would it be possible to make a thumb drive containing an autorun.sh with the following contents
cp /etc/shadow /home/ME/
chown ME /home/ME/shadow
It works on my old suse box but I'm not sure if gnome has been updated to stop this from happening. I'm assuming that this is happening because of a gnome sc blockedript but I don't have access to these folders.
Any knowledge is greatly appreciated.
-Scobe
EDIT:
Will JTR work on shadow? I've never messed with linux passwords.
Yes you can use JTR to crack the passwd hashes. Problem is that now in most of distros you have shadowed passwords, and shadow file can be only accessed by root. So the user would have to be either retarded or running root as default user, or you know messed up access rights on his system, this stuff happens sometimes though. It's sweet yet I'd say out dated exploit, that you won't find much use of.
Also whether the thumb drive gets actually executed very much depends on particular distro and system configuration
[img][/img]
spyware - "They see me trollin'..."
<yaragn> ever seen that movie? The Matrix?
<yaragn> with those green lines of flying text?
<yaragn> *THAT'S* Perl
|
|
| Author |
RE: Possible exploit? |
scobe
Member
Posts: 97
Location: behind you!
Joined: 12.09.05
Rank: Active User |
|
Hmm.. Well I think I've heard enough good that it's at least worth a try. Next time I'm physically at a terminal won't be until next Wednesday (apr. 1) I'll post results.
http://scobe.homeunix.com
|
|
|
| Author |
RE: Possible exploit? |
Skunkfoot
Member
Posts: 672
Location:
Joined: 01.09.06
Rank: God |
|
There's a tool out there called the USB pocketknife (a.k.a. USB Hacksaw/Siwtchblade) that does something very similar to this (along with a bunch of other stuff) for windows machines.
Anyway, how often do you have physical access to other people's servers? I don't ever have it, but you might be different.
If you do have physical access a lot, maybe you should code a tool for linux to do some cool stuff when a flash drive is plugged in.
Today a young man on acid realized that all matter is merely energy condensed to a slow vibration, that we are all one consciousness experiencing itself subjectively, that there is no such thing as death, life is only a dream, and we are the imaginations of ourselves.
--Bill Hicks
--=[ Skunkfoot || Temet Nosce ]=--
|
|
|
| Author |
RE: Possible exploit? |
scobe
Member
Posts: 97
Location: behind you!
Joined: 12.09.05
Rank: Active User |
|
I'm physically at the terminal roughly every two weeks. Problem is I don't have root privileges. Also if I reboot the machine I'll get my ass chewed. Anyone else have an idea how to get the shadow file if this doesn't work?
http://scobe.homeunix.com
|
|
|
| Author |
RE: Possible exploit? |
clone4
Member
Posts: 586
Location: He is back and he's bad!
Joined: 25.11.07
Rank: God |
|
|
scobe wrote:
I'm physically at the terminal roughly every two weeks. Problem is I don't have root privileges. Also if I reboot the machine I'll get my ass chewed. Anyone else have an idea how to get the shadow file if this doesn't work?
Linux kernel local root exploit?
[img][/img]
spyware - "They see me trollin'..."
<yaragn> ever seen that movie? The Matrix?
<yaragn> with those green lines of flying text?
<yaragn> *THAT'S* Perl
|
|
|
| Author |
RE: Possible exploit? |
scobe
Member
Posts: 97
Location: behind you!
Joined: 12.09.05
Rank: Active User |
|
I'm not exactly sure what that is / how to exploit it... I'll look into it, thanks for the idea.
http://scobe.homeunix.com
|
|
|
| Author |
RE: Possible exploit? |
Skunkfoot
Member
Posts: 672
Location:
Joined: 01.09.06
Rank: God |
|
[x] Check out some rooting material like RTB or STS.
[x] Go learn about exploits and how they work.
[x] Learn about different ways to use the exploit you've found. (You might not have sufficient privileges to just upload it, compile it, or run it normally, in which case you should look into how to obtain the proper permissions.)
Today a young man on acid realized that all matter is merely energy condensed to a slow vibration, that we are all one consciousness experiencing itself subjectively, that there is no such thing as death, life is only a dream, and we are the imaginations of ourselves.
--Bill Hicks
--=[ Skunkfoot || Temet Nosce ]=--
|
|
|
| Author |
RE: Possible exploit? |
yours31f
Second to one
Posts: 1678
Location: Dallas Texas
Joined: 27.04.07
Rank: Satan |
|
SU?
Debugging is what programmers do to beta software to make it take up more room on your hard drive if it is running too efficiently.
|
|
|
| Author |
RE: Possible exploit? |
Skunkfoot
Member
Posts: 672
Location:
Joined: 01.09.06
Rank: God |
|
lol...
Today a young man on acid realized that all matter is merely energy condensed to a slow vibration, that we are all one consciousness experiencing itself subjectively, that there is no such thing as death, life is only a dream, and we are the imaginations of ourselves.
--Bill Hicks
--=[ Skunkfoot || Temet Nosce ]=--
|
|
|
| Author |
RE: Possible exploit? |
spyware
Member
Posts: 4190
Location: The Netherlands
Joined: 14.04.07
Rank: God
Warn Level: 90
|
|
|
yours31f wrote:
SU?
Hope you were kidding.
"The chowner of property." - Zeph Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term. - Carl Sagan Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor? - Ebert |
|
|
| Author |
RE: Possible exploit? |
fuser
Member
Posts: 959
Location: in front of a computer (duh)
Joined: 05.04.07
Rank: HBH Guru |
|
Oh god. In case anyone is wondering, the "su" command don't work in scobe's case as he himself had mentioned that he does'nt have root access,and since the command requires the root password for it to execute, it won't work for him.
Oh, and typing su in capitals doesn't work since *nix/Linux is case-sensitive.
I hope I didn't make any mistakes.
Telling modern Internet users to stop whining is like telling them to stop breathing it seems unrealistic and inhumane. Paul Lutus
|
|
|
| Author |
RE: Possible exploit? |
clone4
Member
Posts: 586
Location: He is back and he's bad!
Joined: 25.11.07
Rank: God |
|
|
fuser wrote:
Oh god. In case anyone is wondering, the "su" command don't work in scobe's case as he himself had mentioned that he does'nt have root access,and since the command requires the root password for it to execute, it won't work for him.
Oh, and typing su in capitals doesn't work since *nix/Linux is case-sensitive.
I hope I didn't make any mistakes.
well theoretically there could be blank root password, so su would give you root straight away 
but then again we aren't talking about linux that was set up but a retarded person, I guess...
[img][/img]
spyware - "They see me trollin'..."
<yaragn> ever seen that movie? The Matrix?
<yaragn> with those green lines of flying text?
<yaragn> *THAT'S* Perl
Edited by clone4 on 31-03-09 20:26 |
|
|
Main:
