Thursday, April 14, 2005

A unix teaser

I was no God.
I told her my password.
She ran to a unix terminal.
She logged in to my account.
Using 'passwd' she changed my password to whatever she wanted.
she checked if the password was changed. It really was.
When she came back, she fainted when she saw me using different password.

How could I do that?

TIP: It was a race condition

15 comments:

rzo said...

Hello,

1 - Humm, well you said "your password" what make me belive that you can simple log as root in your machine and reset the password. heheh ;)

2 - You or he could use a fake passwd to intercept the password.. ;)

cya

Alpha0 said...

I said "I was no god."

Alpha0 said...

What does your second point mean?

Alpha0 said...

Well..I have no control over 'passwd'.
Now?

rzo said...

Hi,

Sorry, I hand't understand "I was no god" as root. :P

My second point is that you could had changed the PATH from your user, so, when he called passwd it call a pre-prepared binary to get it inputs and send to you via e-mail or similar, so you could log back and change it again. So no need to control passwd itself. heheh ;)

Alpha0 said...

Okay. You dont have control over the environment too. So you cant change PATH or trick her to execute a trojan.

HINT AGAIN: It is a race condition.

#alpha0

rzo said...

hummm, I'm not aware of any public race condition in passwd not fixed. What is the answer ?

cya

Alpha0 said...

Well, it is little tricky.
As soon as she left to change my password. I typed 'passwd' and fed old password to it and let it waiting for new password.
When she came back and told me that she had changed my password. I supplied new password to the command waiting for new password..And now I have my new password.

Got it!
I used to use this trick in college.
My admin used to discourage 'lynx' from shell and he used to kill lynx and change the password. So, I always kept two shells open in one I used to browse using lynx and in other I kept 'passwd' waiting for new password. So, when my lynx is killed I new that the password has been changed by admin. I supply password to my command waiting for new password.
And live happily after till I again browse using lynx.:)
#Alph0

taerix said...

you know, i thought of that, but then i was like, "no... thats too easy... it would be something real instead of a cheap trick like that..."

Alpha0 said...

The Title says "A unix teaser":)
But we cant say it a cheap trick.

If you were supposed to write 'password', how would you avoid this?

--Alpha0

Alpha0 said...

I mean 'passwd'.

rzo said...

Hhhehehe, yes, it's really a trick.

Your admin was lazy, if he was a little smart he should ps auxww |grep your-user or tty and check what you are running. If something suspicious, kill it before any task. hehehe

Ok, you can say you could create a symlic link to a normal common name, like this trick

$ ln -s /usr/bin/passwd common-app

And he will see it as a normal app, but if he wasn't so lazy, he made

# readlink /proc/common-app-pid/exe
/usr/bin/passwd

hehehe ;)

Maybe kil directilly all your shells were a option... hehehe ;)

cya

Alpha0 said...

Yeah. If he could have killed my all processes and then change the password, I was gone.
Infact he was a dumb ass-0-.

If you are supposed to write 'passwd' how to avoid this kind of problem?

--Sandeep

rzo said...

Hummm...

- Lock the /etc/shadow file. ;)

Cya

Alpha0 said...

I would suggest that the application should take old password and new password and then check and update it.