[10786] in bugtraq
vulnerability in su/PAM in redhat
daemon@ATHENA.MIT.EDU (Tani Hosokawa)
Thu Jun 10 14:44:22 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9906091403070.27189-100000@avarice.riverstyx.net>
Date: Wed, 9 Jun 1999 14:07:27 -0700
Reply-To: Tani Hosokawa <unknown@RIVERSTYX.NET>
From: Tani Hosokawa <unknown@RIVERSTYX.NET>
To: BUGTRAQ@NETSPACE.ORG
I was talking to some guy on IRC (st2) and he asked me to mention to
bugtraq (because he's not on the list) that the PAMified su that comes
with redhat has a slight hole. When you try to su to root (for example) if
it's successful, immediately gives you a shell prompt. Otherwise, it
delays a full second, then logs an authentication failure to syslog. If
you hit break in that second, no error, plus you know that the password
was bad, so you can brute force root's password. I wrote a little
threaded Perl prog that tested it (with a 0.25 second delay before the
break) to attack my own password (with my password in the wordlist) and it
seemed to work just fine, even with my own password hundreds of words down
in the list, so it seems pretty predictable, as long as the server's under
very little load (else you get a delay no matter what, and it screws the
whole process by giving false negatives).
---
tani hosokawa
river styx internet
