Linux Password File Not Properly Protected

漏洞信息

漏洞名称： Linux Password File Not Properly Protected

漏洞类型： 配置问题

漏洞等级： 高危

漏洞描述： 该漏洞涉及Linux系统中密码文件的不当配置问题。在Linux系统中，密码哈希值通常应存储在/etc/shadow文件中，该文件权限严格限制，仅允许root用户访问。然而，如果密码哈希值被错误地存储在/etc/passwd文件中，由于该文件默认对所有用户可读，这将导致密码哈希值暴露给非特权用户。这种配置问题可能源于系统管理员的疏忽或错误的系统配置脚本。攻击者可以利用这一漏洞获取密码哈希值，进而通过离线破解手段获取明文密码，威胁系统安全。此漏洞的利用不需要认证，且可以自动化执行，因此对系统安全构成严重威胁。正确的做法是确保所有密码哈希值仅存储在/etc/shadow文件中，并正确设置文件权限。

产品名称： Linux

来源： https://github.com/projectdiscovery/nuclei-templates/blob/dfc176303ffebe3d9f231045fa3abe2cf2ca9874/misconfiguration%2Flinux%2Fpassword-file-not-protected.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: password-file-not-protected

info:
  name: Linux Password File Not Properly Protected
  author: songyaeji
  severity: high
  description: >
    If password hashes are stored in /etc/passwd, which is world-readable, they can be exposed to non-privileged users.
    Proper configurations should ensure password hashes are stored only in /etc/shadow, which is restricted.
  reference:
    - https://isms.kisa.or.kr/main/csap/notice/
    - Cloud Vulnerability Assessment Guide (2024) by KISA
  tags: linux,local,misconfiguration,passwd,shadow,password,compliance
  metadata:
    verified: true
    os: linux
    max-request: 2
  classification:
    cwe-id: CWE-256
    cvss-metrics: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 5.5

self-contained: true

code:
  - engine:
      - bash
    source: |
      ls -l /etc/shadow 2>/dev/null || echo "no-shadow-file"
    matchers:
      - type: word
        part: code_1_response
        words:
          - "no-shadow-file"

  - engine:
      - bash
    source: |
      awk -F: '$2 !~ /^x$/ { print $0 }' /etc/passwd 2>/dev/null || echo "all-x-field"
    matchers:
      - type: regex
        part: code_2_response
        regex:
          - '^[^:]+:[^x]:'