Bugtraq mailing list archives
Re: Question about Local vulnerability in libutil derived with FreeBSD.
From: Seth Arnold <sarnold () wirex com>
Date: Fri, 21 Sep 2001 09:45:52 -0700
On Fri, Sep 21, 2001 at 12:31:12PM +0300, Rumen Telbizov wrote:
I tried the above vunlarability on 2 FreeBSD 4.3-RELEASE boxes and it worked out! I tried this on one Linux RH6.2 box with OpenSSH installed on it and it DID NOT work.
This latest vulnerability is specific to systems that have implemented the BSD authentication class scheme. So, as far as I know, the only systems that could be vulnerable to this particular problem are BSDi, FreeBSD, OpenBSD, and possibly NetBSD.[1] So far, there have been confirmations of FreeBSD vulnerability, a compellingly good description of why OpenBSD is not vulnerable, and (as far as I remember) no feedback from BSDi or NetBSD. Until Linux distributors start shipping BSD authentication support, Linux users ought to remain pretty safe from this problem. (With the exception of BSDi, I doubt any other commercial unix-like or unix vendors ship the BSD authentication stuff. As always, ask your vendor for details. :) Cheers! :) [1]: My apologies to our NetBSD friends; I promise I'll give NetBSD a test drive someday. :)
Current thread:
- Question about Local vulnerability in libutil derived with FreeBSD. Rumen Telbizov (Sep 21)
- Re: Question about Local vulnerability in libutil derived with FreeBSD. Seth Arnold (Sep 21)
- Re: Question about Local vulnerability in libutil derived with FreeBSD. Przemyslaw Frasunek (Sep 21)
- <Possible follow-ups>
- Re: Question about Local vulnerability in libutil derived with FreeBSD. Rick Kelly (Sep 24)