Linux /etc/shadow File Owner and Permission Check Vulnerability

漏洞信息

漏洞名称： Linux /etc/shadow File Owner and Permission Check Vulnerability

漏洞类型： 配置问题

漏洞等级： 严重

漏洞描述： 该漏洞涉及Linux操作系统中/etc/shadow文件的权限和所有权配置问题。/etc/shadow文件存储了系统中用户的密码哈希值，正常情况下应仅对root用户可读。如果该文件的权限或所有权配置不当，可能导致密码哈希值被非授权用户读取，进而通过离线破解手段获取用户密码，甚至实现权限提升。此漏洞的技术根源在于文件权限管理不当，未遵循最小权限原则。由于/etc/shadow文件包含敏感信息，其不当配置将直接威胁系统安全，可能导致未授权访问、信息泄露及权限提升等严重后果。此漏洞的利用通常需要本地访问权限，但一旦被利用，其影响范围广泛，可导致系统完全被控制。因此，确保/etc/shadow文件的正确权限和所有权配置对于维护Linux系统的安全至关重要。

产品厂商： Linux

产品名称： Linux Operating System

来源： https://github.com/projectdiscovery/nuclei-templates/blob/dfc176303ffebe3d9f231045fa3abe2cf2ca9874/misconfiguration%2Flinux%2Fetc-shadow-permission-check.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: etc-shadow-permission-check

info:
  name: /etc/shadow File Owner and Permission Check
  author: songyaeji
  severity: critical
  description: >
    The /etc/shadow file must only be readable by root. If its permissions or ownership are misconfigured, it can lead to exposure of password hashes, allowing offline cracking or privilege escalation.
  reference:
    - https://isms.kisa.or.kr/main/csap/notice/
    - Cloud Vulnerability Assessment Guide (2024) by KISA
  tags: linux,local,shadow,permission,file,misconfiguration
  metadata:
    verified: true
    os: linux
    max-request: 1
  classification:
    cwe-id: CWE-732
    cvss-metrics: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.4

self-contained: true

code:
  - engine:
      - bash
    source: |
      stat -c "%U %G %a" /etc/shadow 2>/dev/null || echo "not-found"
    matchers:
      - type: regex
        part: code_1_response
        regex:
          - '^root\s+shadow\s+([0-3][0-9]{2}|400)$'