[13653] in bugtraq
Re: RedHat 6.1 /and others/ PAM
daemon@ATHENA.MIT.EDU (Ian Turner)
Wed Feb 2 12:12:44 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.10002011150590.11930-100000@crafter.house>
Date: Tue, 1 Feb 2000 11:52:04 -0800
Reply-To: vectro@PIPELINE.COM
From: Ian Turner <vectro@PIPELINE.COM>
X-To: Simple Nomad <thegnome@NMRC.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10001311508260.1299-100000@blackhole.nmrc.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 31 Jan 2000, Simple Nomad wrote:
> Trying to "echo PASSWORD | su ACCOUNT" will elicit a response of
> "standard in must be a tty..." therefore the sploit would stop on the
> first word in the list as if it was the correct password. Therefore I fail
> to see the exact sploit here. I tried this on a stock RH 6.1 machine.
>
> - Simple Nomad - No rest for the Wicca'd -
> - thegnome@nmrc.org - www.nmrc.org -
> - thegnome@razor.bindview.com - www.bindview.com -
You could create a more complicated exploit using ptty's. Basically su
checks if standard input is a tty because they don't want you using 'su'
in shell scripts. But you can still do it, it's just not as easy.
I'd contribute example code but I just woke up. :b
Ian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE4lzlmfn9ub9ZE1xoRAvR4AKChxizjFxxUXwfzYWLSi0dU5TbPQwCfdkv6
VdKx0CkPQlnicXgsJDC+B3M=
=QjkA
-----END PGP SIGNATURE-----
