l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2001 Dec 30 16:59

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Cracking...
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Cracking...

  • Subject: Re: [vox-tech] Cracking...
  • From: Peter Jay Salzman <p@belialMAPS.ucdavis.edu>
  • Date: Fri, 01 Dec 2000 18:07:06 -0800
  • References: Pine.GSO.4.21.0012011520340.1514-100000@sandman.ucdavis.edu

mark, something i found; it sounds like it may help.  thttpd comes, by
default, with a cgi program called ssi.   here's a code snippet:

        path_translated = getenv( "PATH_TRANSLATED" );
        if ( path_translated == (char*) 0 ) {
                internal_error( "Couldn't get PATH_TRANSLATED environment variable.");
                exit( 1 );

        /* Open it. */
        fp = fopen( path_translated, "r" );
        read_file( path_info, path_translated, fp );

the PATH_TRANSLATED environment variable gets copied to path_translated, and
that gets fopen()'d.    the read_file function returns the contents of fp.

this means you can view any file on the system, so do:

        GET /cgi-bin/ssi//../../../../../../../../../etc/shadow

to get /etc/shadow.   maybe you can use john the ripper to crack some
passwords.  perhaps they left some GECOS inspired passwords as a bone.  :)

also, don't overlook physical security.  do you know where the firewall is
being kept?   if it's in his office, maybe you can get together with a
friend and try to get him to leave the office for a few minutes.  that
should be time enough to reboot the machine with a rescue disk, mount the
hard drive, edit /etc/shadow and /etc/passwd to create a new account, reboot
the machine.


> Date: Fri, 1 Dec 2000 15:38:44 -0800 (PST)
> From: Mark Kim <mkkim@ucdavis.edu>
> Reply-To: vox-tech@lists.mother.com
> To: vox-tech@lists.lugod.org
> Subject: [vox-tech] Cracking...
> We're doing a security analysis of a firewall and a computer system behind
> it.  I'd like to try to break into the system but I'm out of ideas.  I
> know one group from the class already broke in, and the professor left
> that hole open for others to exploit.  I'd like to gather some ideas from
> this group.
> So far, nmap scan of the firewall reveals ssh (22) and http (80) ports are
> open.  ssh version is "SSH-1.99-2.3.0 SSH Secure Shell (non-commercial)",
> and http daemon is thttpd version 2.10 (*not* Apache).  We've been told
> the firewall isn't running any services but only forwards connections to a
> system behind the firewall, so both ssh and http are running on the system
> behind the firewall.
> Bugtraq shows thttpd 2.10 has a couple bugs, both related to CGI, but the
> system isn't running any CGIs.  Both systems are some Linux variants and
> the firewall is running ipchains and has some modifications by the vendor.
> The two guys who broke into the machine behind the firewall took less than
> two days to get a root access on the system... so intimidating... but they
> work in the security lab so they do have an advantage.  I've been told
> they didn't exploit the webserver.  That leaves either the sshd exploit or
> some trickery with TCP packets.  Also, Bishop mentioned that the hole was
> very obvious once it was made known to him (isn't everything?) and he
> should have known (meaning, it was an obvious hole, but how am I supposed
> to know if it's supposed to be obvious to the rest of us or not? :P)
> Any ideas on how one could try attacking this system?
> -Mark
> PS: BTW, there's nobody else on the list taking ECS153, is there?
> PPS: Next step for me is going to Bugtraq and looking for any security
> work arounds for firewalls... hopefully something there will work with our
> firewall...
> ---
> Mark K. Kim
> http://www.cbreak.org/mark/
> PGP key available upon request.

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.