[Full-Disclosure] ALERT ALERT plaintext passwords in linux ALERT ALERT
johnpf at atnet.net.au
Tue Sep 17 01:52:09 BST 2002
This is extremely old. There was an exploit for Linux and Solaris that
used this back in 1995 (or earlier). In that case the idea was to get a
local user shell, then start looking at kcore. Then try to login as root
and grep for the crypted passwd, then feed that string to Jack-the-Ripper.
That was when the permissions on kcore were changed so that you cant see
all of kcore.
There was even a trojaned copy of Slackware floating about that emailed
via an anonymiser the root passwd every time passwd was run by root that
ppan at hushmail.com wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Problem: Linux stores your passwords in plaintext
> See proof of concept exploit below
>Fix: rm -rf /dev/kmem
>bash$ ./passcheck.sh secret
>Proves that kmem leakes your passwords
>Needs to be run as root
>By etah^etihw aka peter-pan
>Checking for password 'secret'
>Binary file /proc/kcore matches
>OMG!!!! it matches!!!
>Please don't tell anyone my root password because
>I cant change it because i deleted the passwd program
>because i thougt that it is vulnerable but I
>think it was not vulnerable but i cant get it because
>I have to port undel.exe to lunix first.
>Here is the 0-DAY exploit!
>Please do not abuse!!!
># POC exploit
># shows kmem is a fscking leaker!
>echo "checkpass v1.5";
>echo "proves that kmem leakes your passwords";
>echo "needs to be run as root";
>echo "by etah^etihw";
>echo " ";
>echo "checking for password '$1'";
>grep $1 /proc/kcore
>(do not forget to make 'chmod +x passcheck.sh'!!)
>zisss (you are the man bro!!)
>drater (mad resopectz to yu0!!)
>verb (wuz up? your a.t. owns me ass!!)
>jchrist (your dad > *)
>-----BEGIN PGP SIGNATURE-----
>Version: Hush 2.1
>Note: This signature can be verified at https://www.hushtools.com
>-----END PGP SIGNATURE-----
>Get your free encrypted email at https://www.hushmail.com
>Full-Disclosure - We believe in it.
Full-Disclosure is hosted and sponsored by Secunia.