1

https://exchange.xforce.ibmcloud.com/vulnerabilities/31739

linuxpam-pamunix-security-bypass (31739) reported Jan 23, 2007

Linux-PAM could allow a remote attacker to bypass security restrictions, caused by a vulnerability in pam_unix.so when handling password hashes that consist of two characters. An attacker could exploit this vulnerability to bypass security restrictions and gain unauthorized access to the system using arbitrary accounts.

Consequences: Gain Access

Can someone please explain to me how to actually implement this exploit?

I am currently working on HTB cache and I've gained RCE to EMR application. I've gained access to /var/lib/pam which shows the following: enter image description here enter image description here

Will these be of any use to me? I'm trying to gain root/user access.

schroeder
  • 123,438
  • 55
  • 284
  • 319
David
  • 95
  • 1
  • 7
  • Personally, I'd first gain a reverse shell before doing anything else. Once a reverse shell is obtained, (assuming the EMR app is not run as root) there might be many ways to escalate your privileges. – Jeroen Jul 15 '20 at 08:19
  • @Jeroen : yes I have a reverse shell as well. PrivEsc is pretty new to me so Im just grasping at straws right now. From what people have mentioned somehow cache is going to play a role in the escalation. But thanks for the suggestion – David Jul 15 '20 at 08:21
  • _"pam_unix.so in Linux-PAM 0.99.7.0 allows context-dependent attackers to log into accounts whose password hash, as stored in /etc/passwd or /etc/shadow, has only two characters."_ -[nvd](https://nvd.nist.gov/vuln/detail/CVE-2007-0003). Do you have any reason to believe the password hash is 2 characters? – multithr3at3d Jul 19 '20 at 12:40
  • @multithr3at3d - I don't. Thanks for the effort in replying – David Jul 20 '20 at 07:35

0 Answers0