On 02/04/2015 04:55 PM, Warren Young wrote:
Unless you have misconfigured your system, anyone who can copy
/etc/shadow already has root privileges. They don’t need to crack your
passwords now. You’re already boned.
Not exactly.
There have been remotely exploitable vulnerabilities where an arbitrary
file could be read (not written), but otherwise root access wasn't given
by the exploit; that is, no shellcode per se. If you can somehow (buffer
overflow shellcode or something similar) get, say, httpd to return a
copy of /etc/shadow in a GET request, well, you don't have root, but you
do have the hashed passwords. It doesn't take an interactive root
session, and may not even leave a trace of the activity depending upon
the particular bug being exploited.
Now, I have seen this happen, on a system in the wild, where the very
first thing the attacker did was grab a copy of /etc/shadow, even with
an interactive reverse shell and root access being had. So even when you
recover your system from the compromise you have the risk of all those
passwords being known, and unfortunately people have a habit of using
the same password on more than one system.
Further, lists of usernames and passwords have market value.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
