How good are you when it comes to networking? How often you worry about the security side of it? Well, you need to worry about the first before you attend an interview and about the latter before you implement something.

This edition of techblog is about a security bug which will give administrator-like privileges to a normal user.

Note: This was performed in University of Surrey’s system and has been sorted out with the help of the University’s IT support team. Also, I have edited all the pictures so that the ids are hidden and NO PERSONAL FILES ARE SHOWN!

Let’s Start

The first thing that I need to do is to access the server using SSH (of course, you need to be a recognised user for this)

Now from the remote system I use nautilus (File manager) and try to access the home directory of another user (some PG taught student):

This is disabled. So far so good with regard to security (aka protecting the user’s privacy)

Now I will list the processes running and get the instances of Firefox. Then I find the instance ,which is running as su (root user) and try to launch another Firefox session but with the same instance (This is allowed as I am in the same network and I’m a registered user!)

Now using this instance, trying to read the the password file:

(note that the system stores the passwords after encryption). But I am not going to display /etc/shadow here.

Well, it works. Now I am going to try the SSH folder. I also find that the ssh keys are readable. (even the private ones)

Real Issue

Now I am going to access a user’s directory (which was inaccessible earlier ) – and this time using  a deeper path!

Now browsing  this user’s favourites folder (just going deeper):

Please note that due to privacy issues I can’t display the user’s files here (more over, it is unethical to do so).

Well, please note that I’m performing this from a remote terminal:

Here I can see what all applications the user has added to his ‘Quick launch’:

I can also see all the files in the mysql directory:

IT Service Team’s Response:

Well, the University has a very good IT support team and they reverted back promptly. Here is a truncated email (I have deleted the portion in which he talked about the UniS networking system) from Mr. Watson.

Hello Aasis,

Thank you for this information and the work which you have obviously put into this. 

We take our security seriously…………

---(message truncated)---- 

With regards,

George Watson

I guess you are safe now.

How people may exploit ?

Consider these points:

• The issue is not just that others can access private files, but the fact that one can get all the passwords.
• Both one way functions and encryption codes are accessible
• Even a novice can use open source programs like John

If he buys some computing power from Amazon cloud (say, using the money from an unverified Paypal account), then he can quickly crack these (even tracking is hard in this case).

You may read this entry if you wish to know how one may use John to crack passwords.

The bottom line is that you need to be very careful when you do networking. A small loophole in your security system can affect the entire system.