On Tue, Jan 3, 2012 at 3:14 AM, Rudi Ahlers <Rudi at softdux.com> wrote: > >>> Very often, a single user with a >>> weak password has his account cracked and then a hacker can get a copy >>> of /etc/shadow and brute force the root password. >> >> This is incorrect. The whole reasoning behind /etc/shadow is to hide the >> actual hashes from normal system users. /etc/shadow is chown root.root >> and chmod 0400. Without root access /etc/shadow is not accessible. >> > > So, explain this then: > > > How does something like c99shell allow a local user (not root) to read > the /etc/shadow file? > The description from here: http://jigneshdhameliya.blogspot.com/2010/03/backdoorphpc99shellw.html and other places says "16. exploit a range of Linux kernel and bash command interpreter vulnerabilies" In other words, all those things that get listed as 'local' vulnerabilities become remote vulnerabilities as soon as any app or service allows running an arbitrary command. -- Les Mikesell lesmikesell at gmail.com