Thursday, 15 December 2011

Bit By Bit

Let's say you find yourself in some rinky-dink little account one evening, with just about zero ac-cess to anything interesting. On this hypothetical system you are able to read the passwords file, but of course to change it is out of the question.

You can see that your account's password has been encrypted (in the file) as "fg(kk3j2." If you had the ability to load the password file into a text edi-tor, you could replace the sysadmin's encrypted password with yours ("fg(kk3j2"), then save the file. Well, naturally you can't do that. You could get as far as loading the file
into a text editor and chang-ing it: but to save like that is impossible without superuser status. Or is it?

The system security may be such that it only makes validation checks at the highest level of in-teraction. So the high level commands to delete, move, execute, or alter files are disallowed if the user does not have a certain security clearance; the actual machine level commands to move the read/write head to a particular
location, let's say, may not be halted in the least. If this were true for the whole available storage arena, every file could be completely read or rewritten bit by bit. If pro-gramming or disk maintenance software is avail-able to you on-line, you might then be able to use it to alter individual storage locations - to change the
system administrator's encrypted password to your own.

On the other hand, you might find that security prevents even low level instructions from being performed. Don't give up too soon! It may be that onl parts of the storage arena have been protected, while others - due to forgetfulness, bugs, impossibility or impracticality - have been left unsecure. If so, you may not be able to change the passwords file, but perhaps it would be possible to move files to another user's private directory, or to change files that are already there. This opens up a whole world of possible Trojan horses and back doors. If security seems to prevent all illegal access from taking place, perhaps it is possible to trick a process with superuser security clearance into doing the work for you. A simple program, such as a game, could be written, containing instructions to secretly alter passwords.

Compile and save the program, making access to it available only to superusers. Then move the file into a public directory. Eventually some superuser will come along and execute it, thus enacting the portions of your program which, if you had run them yourself, would have resulted in error messages and perhaps a few more
ticks on the security log.