| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5121B661.3060208@bindshell.nl> Date: Sun, 17 Feb 2013 21:04:33 -0800 From: Jeremi Gosney <epixoip@...dshell.nl> To: Daniel Franke <dfoxfranke@...il.com> CC: discussions@...sword-hashing.net Subject: Re: [PHC] Any "large verifiers" on the panel? On 2/17/2013 8:24 PM, Daniel Franke wrote: > Jeremi Gosney <epixoip@...dshell.nl> writes: >> SQL injection, remote includes, local includes, and straight RCE flaws >> are by and large the biggest ways password hashes are compromised. More >> often than not, these vulnerabilities can be leveraged to view arbitrary >> files, or in the best case scenario, obtain a shell running under the >> context of the httpd or webapp. > If the attacker can obtain a shell under the same uid as the webapp > process and go undetected for a while, then he can ptrace the webapp and > see the passwords as they're being passed into the hashing function. It does not work this way anymore. At least not on modern Linux distributions that enable the Yama LSM, which I'm pretty sure all distributers started doing ~ 3 years back. I believe FreeBSD also limits ptrace functionality through MAC policies, but I am unsure of whether it is disabled by default. I cannot speak to other operating systems.
Powered by blists - more mailing lists