[13630] in bugtraq
Re: RedHat 6.1 /and others/ PAM
daemon@ATHENA.MIT.EDU (Simple Nomad)
Tue Feb 1 14:55:59 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.10001311508260.1299-100000@blackhole.nmrc.org>
Date: Mon, 31 Jan 2000 15:14:10 -0600
Reply-To: Simple Nomad <thegnome@NMRC.ORG>
From: Simple Nomad <thegnome@NMRC.ORG>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <lcamtuf.4.05.10001301212030.838-101000@nimue.ids.pl>
Trying to "echo PASSWORD | su ACCOUNT" will elicit a response of
"standard in must be a tty..." therefore the sploit would stop on the
first word in the list as if it was the correct password. Therefore I fail
to see the exact sploit here. I tried this on a stock RH 6.1 machine.
- Simple Nomad - No rest for the Wicca'd -
- thegnome@nmrc.org - www.nmrc.org -
- thegnome@razor.bindview.com - www.bindview.com -
On Sun, 30 Jan 2000, Michal Zalewski wrote:
> A vulnerability /feature?;)/ in PAM shipped with RedHat 6.1 allows
> attacker to perform rapid brute-force password cracking attack without any
> evidence in system logs.
>
> Exploit attached.
>
> Fix: do syslog() stuff before sleep() or change /bin/su behaviour in some
> other way.
>
> _______________________________________________________
> Michal Zalewski * [lcamtuf@ags.pl] <=> [AGS WAN SYSADM]
> [dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl]
> [+48 22 813 25 86] [+48 603 110 160] bash$ :(){ :|:&};:
> =-----=> God is real, unless declared integer. <=-----=
>
