Linux Password File Not Properly Protected

漏洞信息

漏洞名称： Linux Password File Not Properly Protected

漏洞类型： 配置问题

漏洞等级： 高危

漏洞描述： 该漏洞涉及Linux系统中密码文件的不当配置问题。具体来说，当密码哈希被存储在/etc/passwd文件中时，由于该文件对全球可读，非特权用户也可以访问这些密码哈希。正确的配置应确保密码哈希仅存储在/etc/shadow文件中，该文件的访问权限受到限制。这种配置问题属于CWE-256类别，即未受保护的凭证存储。漏洞的CVSS评分为5.5，属于高危漏洞。攻击者可以利用此漏洞获取系统用户的密码哈希，进而尝试破解密码，获取未授权访问权限。此漏洞不需要攻击者具备高级权限，且可以本地利用，增加了其潜在的风险。为了缓解此漏洞，建议系统管理员检查并确保所有密码哈希都存储在/etc/shadow文件中，并适当设置文件权限，限制非特权用户的访问。

产品名称： Linux

来源： https://github.com/projectdiscovery/nuclei-templates/blob/1dc5e4c5a7e3689548a72d7cb2a00b803fccc824/misconfiguration%2Flinux%2Fpassword-file-not-protected.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: password-file-not-protected

info:
  name: Linux Password File Not Properly Protected
  author: songyaeji
  severity: high
  description: >
    If password hashes are stored in /etc/passwd, which is world-readable, they can be exposed to non-privileged users.
    Proper configurations should ensure password hashes are stored only in /etc/shadow, which is restricted.
  reference:
    - https://isms.kisa.or.kr/main/csap/notice/
    - Cloud Vulnerability Assessment Guide (2024) by KISA
  tags: linux,local,misconfiguration,passwd,shadow,password,compliance
  metadata:
    verified: true
    os: linux
    max-request: 2
  classification:
    cwe-id: CWE-256
    cvss-metrics: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 5.5

self-contained: true

code:
  - engine:
      - bash
    source: |
      ls -l /etc/shadow 2>/dev/null || echo "no-shadow-file"
    matchers:
      - type: word
        part: code_1_response
        words:
          - "no-shadow-file"

  - engine:
      - bash
    source: |
      awk -F: '$2 !~ /^x$/ { print $0 }' /etc/passwd 2>/dev/null || echo "all-x-field"
    matchers:
      - type: regex
        part: code_2_response
        regex:
          - '^[^:]+:[^x]:'