On Tue, Jan 3, 2012 at 3:14 AM, Rudi Ahlers Rudi@softdux.com wrote:
Very often, a single user with a weak password has his account cracked and then a hacker can get a copy of /etc/shadow and brute force the root password.
This is incorrect. The whole reasoning behind /etc/shadow is to hide the actual hashes from normal system users. /etc/shadow is chown root.root and chmod 0400. Without root access /etc/shadow is not accessible.
So, explain this then:
How does something like c99shell allow a local user (not root) to read the /etc/shadow file?
The description from here: http://jigneshdhameliya.blogspot.com/2010/03/backdoorphpc99shellw.html and other places says "16. exploit a range of Linux kernel and bash command interpreter vulnerabilies"
In other words, all those things that get listed as 'local' vulnerabilities become remote vulnerabilities as soon as any app or service allows running an arbitrary command.