[10808] in bugtraq
Re: vulnerability in su/PAM in redhat
daemon@ATHENA.MIT.EDU (Tani Hosokawa)
Sat Jun 12 16:52:26 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9906111139020.24864-100000@avarice.riverstyx.net>
Date: Fri, 11 Jun 1999 11:43:59 -0700
Reply-To: Tani Hosokawa <unknown@RIVERSTYX.NET>
From: Tani Hosokawa <unknown@RIVERSTYX.NET>
X-To: "C.J. Oster" <lordvadr@pobox.com>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.4.10.9906111238260.4176-100000@otis.cso.uiuc.edu>
Well, I just checked it out on a fairly vanilla RH6.0 box, and it
exhibited the same behaviour. This is only a bug with PAM-enabled
machines, Slackware, etc. do not have this problem. Also, it exhibits
this behaviour with or without shadowed passwords (I pwunconv'd and tried
it just now, same thing happened). I think it's a problem with one of the
PAM modules.
On Fri, 11 Jun 1999, C.J. Oster wrote:
> Not if you have the latest shadow package installed. If you type in an
> incorrect password, you get an immediate 'Sorry.' This may be correct for
> earlier versions of the shadow suite, but I don't remember and I only have
> the newest one installed. Latest version is at
> ftp://ftp.ists.pwr.wroc.pl/pub/linux/shadow/
> >I was talking to some guy on IRC (st2) and he asked me to mention to
> >bugtraq (because he's not on the list) that the PAMified su that comes
> >with redhat has a slight hole. When you try to su to root (for example) if
> >it's successful, immediately gives you a shell prompt. Otherwise, it
> >delays a full second, then logs an authentication failure to syslog. If
> >you hit break in that second, no error, plus you know that the password
> >was bad, so you can brute force root's password. I wrote a little
> >threaded Perl prog that tested it (with a 0.25 second delay before the
> >break) to attack my own password (with my password in the wordlist) and it
> >seemed to work just fine, even with my own password hundreds of words down
> >in the list, so it seems pretty predictable, as long as the server's under
> >very little load (else you get a delay no matter what, and it screws the
> >whole process by giving false negatives).
---
tani hosokawa
river styx internet
