Bugtraq mailing list archives

Re: S/Key & OPIE Database Vulnerability

From: david () FUNDY CA (David Maxwell)
Date: Sun, 23 Jan 2000 22:13:08 -0400


On Fri, Jan 21, 2000 at 07:15:20PM -0600, harikiri wrote:

w00w00 Security Advisory - http://www.w00w00.org

Title:                S/Key & OPIE Database Vulnerability
Platforms:    BSD/OS 4.0.1 (SKEY).
              FreeBSD 3.4-RELEASE (OPIE).
              Linux Distributions (with skey-2.2-1 RPM).
              Any Unix running skey-2.2. (possibly earlier versions too)
Discovered:   14th January, 2000


NetBSD began installing a mode 600 /etc/skeykeys file as of Jan 6, 1999.
This issue would not affect the two most recent formal releases, 1.4,
and 1.4.1 - as they include the more secure default.

Users of skey on earlier installs should evaluate appropriate permissions
for their /etc/skeykeys file based on local requirements (e.g. non-setuid
programs performing authentication) - as indicated in the w00w00 advisory.

I'm not a member of the NetBSD security team, I'm just speaking as a user...

--
David Maxwell, david () vex net|david () maxwell net -->
Any sufficiently advanced Common Sense will seem like magic...
                                              - me

Current thread:

Re: ICQ Buffer Overflow Exploit, (continued)
- Re: ICQ Buffer Overflow Exploit Bryce Walter (Jan 18)
  - Re: ICQ Buffer Overflow Exploit Jeremy Johnson (Jan 19)
  - Re: ICQ Buffer Overflow Exploit Nick Summy (Jan 19)
  - Re: ICQ Buffer Overflow Exploit Dylan Griffiths (Jan 19)
  - explanation and code for stream.c issues Tim Yardley (Jan 21)
    - Re: explanation and code for stream.c issues Tim Yardley (Jan 21)
    - Re: explanation and code for stream.c issues Tim Yardley (Jan 21)
    - Re: explanation and code for stream.c issues Erik Fichtner (Jan 21)
    - Re: explanation and code for stream.c issues Brett Glass (Jan 21)
    - S/Key & OPIE Database Vulnerability harikiri (Jan 21)
    - Re: S/Key & OPIE Database Vulnerability David Maxwell (Jan 23)
    - S/Key & OPIE Database Vulnerability Steve VanDevender (Jan 23)
    - Re: S/Key & OPIE Database Vulnerability Evil Pete (Jan 24)
    - Re: S/Key & OPIE Database Vulnerability Mudge (Jan 25)
    - Re: S/Key & OPIE Database Vulnerability Steve VanDevender (Jan 25)
    - Re: S/Key & OPIE Database Vulnerability Mudge (Jan 25)
    - Stream.c needs more clarification Vanja Hrustic (Jan 25)
    - Re: S/Key & OPIE Database Vulnerability Steve VanDevender (Jan 25)
    - Re: S/Key & OPIE Database Vulnerability Mudge (Jan 25)
    - Re: S/Key & OPIE Database Vulnerability Steve VanDevender (Jan 26)
    - Future of s/key (Re: S/Key & OPIE Database Vulnerability) Frasnelli, Dan (Jan 26)

(Thread continues...)