Bugtraq mailing list archives

Re: [8lgm]-Advisory-7.UNIX.passwd.11-May-1994

From: rwing!pat () ole cdac com (Pat Myrto)
Date: Fri, 13 May 94 8:14:36 PDT


"In the previous message, [8LGM] Security Team said..."
[ ... details of exploitation of passwd -F deleted ... ]

Good clear explanation.  Not only explaining how it works, but for fixing
it quickly and easily by disabling the option, very valuable for sites
where it is deemed not feasable to replace the passwd command (I know
of none available that will work with the C2 option off the net - one
has to add that capability oneself, and there are a couple of gotchas
in making it work properly).  Perhaps a similar technique could be used
to disable the ability of users to change their full name (-f and running
as chfn, another 'feature' that is extremely annoying).

BTW - the vulnerability also applies to sites with the C2 conversion
done (SunOS), because passwd will ignore /etc/security/passwd.adjunct
if the password field in /etc/passwd does not contain '##username'.
There might be some difference in the timings of the race, but I
suspect not much.

Apparantly, for the C2 configuration, passwd triggers on the presence
of the '##'.  I don't know if the stuff following the '##' is important
(like does passwd use that string instead of the actual username for
the passwd.adjunct lookup)?  Something I will try to find out.  But I
know without a doubt that if, for example, a NULL passwd is placed in
an /etc/passwd entry and then one uses passwd to set the password, it
will go into /etc/passwd, not passwd.adjunct.  One HAS to add the
##username data to make passwd use the passwd.adjunct file, it will not
create that entry on its own.

This is a full disclosure that is as close to being done  properly as
one could ask for, IMO.  If any fault could be found, it might be that
it was sent close to a weekend, as opposed to waiting till late Sunday
or early Monday.  But that has to be balanced with getting urgent info
out in a hurry vs sitting on it for several days.  If its known to be
'in the wild', urgency is greatly increased.

Thanks and kudos to the 8lgm folks!

PS - expect an advisory from CERT sometime in 1995 - maybe.
-- 
pat@rwing  [If all fails, try:  rwing!pat () ole cdac com]  Pat Myrto - Seattle WA
"No one has the right to destroy another person's belief by demanding
empirical evidence."  --   Ann Landers, nationally syndicated advice columnist
and Director at Handgun Control Inc.

Current thread:

Re: permissions, (continued)
- - - Re: permissions Evil Pete (May 17)
    - Re: permissions Pat Myrto (May 17)
    - Re: permissions Gene Spafford (May 17)
    - Re: permissions Evil Pete (May 18)
    - Re: permissions Evil Pete (May 18)
    - [8lgm]-Advisory-7.UNIX.passwd.11-May-1994.NEWFIX [8LGM] Security Team (May 13)
    - iss equivalents *Hobbit* (May 11)
    - Source vs. binary for tools Jeremy Epstein -C2 PROJECT (May 12)
    - runaway lockd problems (SunOS 4.1.3) Pat Myrto (May 12)
    - [8lgm]-Advisory-7.UNIX.passwd.11-May-1994 [8LGM] Security Team (May 12)
    - Re: [8lgm]-Advisory-7.UNIX.passwd.11-May-1994 Pat Myrto (May 13)
    - Re: [8lgm]-Advisory-7.UNIX.passwd.11-May-1994 Gene Spafford (May 13)
    - Re: Time For New Security Package? (was Re: new iss stuff) Mark (May 10)
  - Selling binaries Karyn Pichnarczyk (May 10)
- Re: new iss stuff Everett F Batey WA6CRE (May 10)
- Re: new iss stuff root () maths su oz au (May 10)
- Re: new iss stuff der Mouse (May 10)
  - Re: new iss stuff Timothy Newsham (May 10)
- Re: new iss stuff jallen () nersc gov (May 10)
  - Re: new iss stuff Pat Myrto (May 10)
    - Re: new iss stuff Andrew Watts (May 10)

(Thread continues...)