[267] in linux-security and linux-alert archive
Details on yppasswdd hole
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Sat Jun 24 07:39:05 1995
From: okir@monad.swb.de (Olaf Kirch)
To: linux-security@tarsier.cv.nrao.edu
Date: Fri, 23 Jun 1995 21:35:44 +0200 (MET DST)
Hi all,
here's the details on the hole in my yppasswdd. The bug was stupid and
simple; I forgot to check the user-supplied password for colons. This
allows people to submit a password update with a password like this:
:0:0:Big Boss:/:/tmp/foo
This will turn their password entry into something like this:
joe.user::0:0:Big Boss:/:/tmp/foo:Joe Random User:/home/joe:/bin/bash
All they now have to do is to copy their favorite shell to
/tmp/foo:Joe Random User:/home/joe:/bin/bash
Note that all of these are valid filename characters.
While fixing this, I noticed a second oversight, which may not be as bad,
but may cause problems nevertheless: Users were able to set passwords for
NIS entries like +janet or -joe if they were passwordless. Usually,
entries like these should not occur in the NIS server's password file,
and I do not believe they are acutally checked by any program. The
new version checks for them anyway.
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
For my PGP public key, finger okir@brewhq.swb.de.
