60

On the exploit websites I see security analysts and hackers targeting the /etc/passwd file when showing the proof of concept.

If you have a local file inclusion or path traversal vulnerability on your server, and hackers are able to access (view, read, but NOT edit) the /etc/passwd file, what are the repercussions of this? Aren't all passwords obfuscated in this file by design?

Peter Mortensen
  • 885
  • 5
  • 10
Danny Z
  • 709
  • 1
  • 5
  • 4
  • 10
    To make a PoC easy to follow, a file with well-known significance is targeted. /etc/passwd is a favorite even though in modern systems it won't give you much info. – ztk Jun 30 '15 at 18:08
  • 3
    25 or so years ago, you would have been able to attack the hashed passwords stored in that file (hence the name) but I don't think _anyone on the planet_ runs a non-shadow system since at least a decade. – Damon Jul 01 '15 at 08:03
  • @Damon I beg to differ. Plenty of ancient Unix(-like) systems still going strong today. Nobody dares to upgrade in fear of breaking the application or because management can't be convinced (Budget for upgrade? Why? It works, doesn't it?) – Tonny Jul 02 '15 at 12:03
  • 1
    @dr01: Encrypted? Not in any properly designed system. Rather, a one way cryptographic hash should be used (with salting, etc) – Ben Voigt Jul 02 '15 at 18:34
  • 1
    @dr01, eh? No. Encryption implies recoverability if a key is present, and that property doesn't exist. – Charles Duffy Jul 02 '15 at 22:07
  • @Tonny, the world is certainly full of legacy systems, but shadow passwords were universal practice by the mid-90s; we're literally talking 20 years. There's a point where a legacy system is too costly to maintain because hardware is no longer available. – Charles Duffy Jul 02 '15 at 22:09
  • @CharlesDuffy In an ideal world... I just moth-balled a system from 1986 (hardware) and the software on it dates from 1976. 1 down, another 17 to go... – Tonny Jul 03 '15 at 12:03
  • @BenVoigt+CharlesDuffy You know I meant that :) I was pointing out the difference between obfuscating data (i.e. security through obscurity) -> insecure, and securing properly data via cryptographic primitives -> secure. Anyway, thanks for the punctilious note. – dr_ Jul 03 '15 at 12:21
  • @dr01: Well, you commented directly after Damon's mention of both hashing and shadow password file, so it is natural to assume that you chose different words because you meant something different. – Ben Voigt Jul 03 '15 at 13:47
  • @BenVoigt Ah, I see. Apologies if my first comment wasn't clear. – dr_ Jul 03 '15 at 13:59
  • @Tonny, ouch. I've dealt with a few legacy systems (porting a car dealership's in-house accounting software to a more modern platform, and later writing scheduling and billing integrations for an EMR system), but in neither of those cases did we get even near the 30-year-old hardware benchmark you're dealing with. (The car dealership's system was first written in the 70s targeting VMS, but got ported to SCO in the 80s before my early-2000s port to Linux). – Charles Duffy Jul 03 '15 at 15:46
  • @CharlesDuffy Dec stuff running Ultrix 4.x. In most cases (running ERP on Progress DB's) we could get the software transferred to Aix 4 and from there upgraded to Aix 5.3. That is the latest Aix on which Progress 9.0 still runs (porting to Progress 10 and later is not possible due to lack of sources). Luckily IBM guarantees that Aix 5.3 can be run as a logical partition on newer Aix systems until 2025. This covers the 7 years tax-reporting requirement after system replacement in 2016. Need live system for reporting because business-logic is hardcoded in the application: Raw data is useless. – Tonny Jul 03 '15 at 19:25

6 Answers6

95

The only real repercussion is reconnaissance - the attacker can learn login names and gecos fields (which sometimes help guess passwords) from the /etc/passwd file.

One reason for this is that, 20 years ago or so, most Unix variants shifted from keeping hashed passwords in the /etc/passwd file and moved them to /etc/shadow. The reason for this was that /etc/passwd needed to be world readable for tools like 'finger' and 'ident' to work. Once passwords were segregated into /etc/shadow, that file was made readable only by root.

That said, /etc/passwd remains a popular 'flag' for security analysts and hackers because it's a traditional "hey, I got what I shouldn't" file. If you can read that, you can read other things under /etc as well, some of which can be useful to an attacker. But it's harder to test for (say) /etc/yum.conf if you don't know if yum's on the system; /etc/passwd is always there and is a reliable test of whether access worked.

Put differently, the implicit repercussion of getting /etc/passwd is that the attacker has circumvented controls and can get arbitrary readable files, which means "I win!"*

*No actual guarantee of win, express or implied

gowenfawr
  • 72,355
  • 17
  • 162
  • 199
  • 9
    I'd suggest a correction that getting /etc/passwd means not that the attacker can get any arbitrary file, but any world readable files since any running process should be able to read /etc/passwd. – Steve Sether Jun 30 '15 at 20:54
  • @SteveSether thanks, good point, modified to reflect. – gowenfawr Jun 30 '15 at 21:02
  • I'd also like to add that /etc/passwd is no longer required on most (all?) modern Linux distributions as Pluggable Authentication Modules (PAM) provide robust authentication schemes (which can include use of /etc/passwd and /etc/shadow). I personally use decoy values for /etc/passwd and /etc/shadow knowing that if the system is breached the attacker may try to make use of those files (and by all means go for it, bad guys!). See PAM reference here: http://tldp.org/HOWTO/User-Authentication-HOWTO/x115.html – Nick Jul 01 '15 at 19:02
  • 3
    @Nick, correct me if I'm mistaken, but `ls -l` will stop showing usernames if you remove `/etc/passwd`; it's not PAM-aware. That's the sort of hidden dependency that drove hashes out of `/etc/passwd`. – gowenfawr Jul 01 '15 at 19:16
  • That is correct. Most applications are not built with PAM support. Your *ls* reference is not really an issue in embedded systems where there aren't any "users" so to speak. All critical boot mechanisms support this style of operation, however, and for those interested in mastering the security of their operating environment(s) this (PAM-based) method (when customized & implemented properly) will thwart most advanced attacks against these hardened systems. – Nick Jul 01 '15 at 20:51
20

While @gowenfawr hits the main points, I have a few to add:

Most systems, but not all, hide the actual passwords in /etc/shadow. To see if your system is vulnerable, check a real user account. If it looks like

stighemmer:x:...

Then your passwords are safe.

If it looks like

stighemmer:kjsaashgdkwqvbm:...

Then your passwords are NOT safe.

Yes, the password is obfuscated using a one-way hash function, but that is not enough. Having this file allows the hacker to check if a given user has a certain password without actually trying to log in.

In 1970, this check was slow, and things were reasonably safe. Today, a hacker can check millions of passwords per second. If one of your users has a guessable password, that user's account will be hacked. And the limit for what is "guessable" is pushed with every processor generation.

Now you have checked, and found that your passwords are safely stored in /etc/shadow. Good, problem solved.

Not quite. /etc/passwd contains more information.

It contains the full name of every user. This is very useful for social engineering attacks.

It contains a list of system users, which indicates what software is installed.

So, I get an email going "Hey Stig, I have forgotten the postgres password. Could you remind me? Signed, Other Real User". Since my helpful email client doesn't show the full email address I will not notice that this email comes from a remote country. I reply, "It is 'S3CR37'". Oops, the company database just got hacked.

Of course, this is not the only way full names get exposed, you need to teach the users about social engineering attacks anyway.

multithr3at3d
  • 12,529
  • 3
  • 31
  • 43
Stig Hemmer
  • 2,413
  • 10
  • 14
  • 5
    The password is _not_ encrypted, it is _hashed_ – Tobias Kienzler Jul 02 '15 at 10:31
  • @stig-hemmer, just a quick heads up that I requested an edit to your question changing "Encrypted" to "Hashed". I think you can reject this edit if you feel it does not conform with the meaning of the post, feel free to. I felt the edit was appropriate after reading [this post on meta.](https://security.meta.stackexchange.com/questions/246/whats-the-etiquette-for-correcting-answers). – Cowthulhu Jan 12 '18 at 15:31
7

This may help an attacker to do a brute force attack in low times, so the attacker doesn't need discover the usernames because he already has got them but he can aim the attack only to discover the passwords.

eurialo
  • 111
  • 6
6

Unless you aren't using shadow passwords, access to /etc/passwd is not the massive risk that the filename would imply (and if you aren't using shadow passwords in this day and age, you've got a problem).

The first unix systems actually stored passwords in /etc/passwd, which is why the file is called that. It also stored some other aspects of user metadata, like the user's home directory, shell, and so forth. In retrospect, this was not the greatest design decision ever made, because it meant that programs which used this metadata needed to be able to read /etc/passwd in order to get at that data.

The passwords in /etc/passwd were encrypted using the algorithms of the time, but including the encrypted passwords was still a needless exposure risk, and so shadow passwords were implemented to resolve that. The format of /etc/passwd couldn't change, for historical reasons, but modern systems just put a placeholder there (x is common). The actual password-related information (the actual hashes, how old the password is, and so on) are stored in another file, /etc/shadow, that only root can read.

This is not to say that access to /etc/passwd is completely harmless. It still yields a list of usernames, and although that's theoretically harmless (since usernames aren't supposed to be secret), it can be depressing to learn just how many people use their username as their password. It happens less often in this day and age, but it still happens often enough to be worth a try.

Also, the GECOS field in /etc/passwd often contains metadata like users' real names. That can be useful for quick guesses in and of itself, or for doing detailed searches that may yield more likely guesses. This is fairly sophisticated stuff, though, going well beyond (and potentially not even requiring) getting access to /etc/passwd itself

The Spooniest
  • 1,647
  • 9
  • 11
3

When performing vulnerability assessments for clients, I use /etc/passwd as a "hey, I got LFI in this application and you should be aware". It is a simple, well-known file that generally has sufficient permissions on the filesystem to show that I can read files. Being that this is a vulnerability assessment, I, and the client, only care about the vulnerability being present, proof provided, and guidance on how to resolve the issue.

When I am performing a pentest for a client, this file, though normally does not contain passwords, gives me a lot of information. From it, I have login names to start guessing passwords for and I can use the existing LFI to then attempt to read files out of the user homedirs.

This same reasoning applies to XSS proof of concepts and <script>alert(1)</script>. It is not the worst thing you can do with XSS, but it is proof that I as an attacker have the ability to execute JavaScript under my control.

0

An attacker can look at manually created Users (UID >500 or >1000 on most linuxes i touched so far) and also look at assigned shells (/bin/ba(sh)) to learn what users might work on services and/or webapps available on the machine. SSH is not the only Target!

This information is not only usefull for generic bruteforce but also for every attack that might involve the knowlege of valid username (be creative).

As mentioned above: When an Attacker can read /etc/passwd he can also read so much more on the system and systematically determine if there are ways for getting reverse shells and local privelege escalation.

I recommend you read up on some linux privesc guides (mubix & g0tmilk for starters) and get your hands on some vulnerable vms for some hands-on privesc training (vulnhub.com / kioptrix is a good starting point).