[9848] in bugtraq
Digital Unix 4 protected password database.
daemon@ATHENA.MIT.EDU (James Clement)
Tue Mar 9 12:49:05 1999
Date: Tue, 9 Mar 1999 02:22:32 -0500
Reply-To: James Clement <clem7508@FREDONIA.EDU>
From: James Clement <clem7508@FREDONIA.EDU>
To: BUGTRAQ@NETSPACE.ORG
Greetings,
Due to the recent outpouring of DU buffer overflows I thought the
following might be of interest. With the Enhanced Security package
running, authentication info is stored in individual files according to
username. In this case /tcb/files/auth/r/root for root and so on. I am not
aware of any built in method for creating the equivalent of your everyday
unix /etc/shadow file. As a result it is probable that many DU systems
have not weeded out poor choices for passwords through the use of a
program such as Crack since each encrypt is stored in a separate file.
Though trivial once root is compromised, a would be attacker might
have an easy time obtaining passwords because of this "feature". The
program below outputs a crackable shadow file.
Regards,
James Clement
----dushad.c----
/*
Digital Unix 4.x get encrypts from protected password database(s).
Must be euid(0), compile with cc dushad.c -lsecurity -o dushad
Written by James Clement - clem7508@fredonia.edu
*/
#include <sys/types.h>
#include <sys/security.h>
#include <prot.h>
struct pr_passwd *getprpwent(void);
void main(){
struct pr_passwd *p;
set_auth_parameters();
while (p = getprpwent())
{
printf("%s:%s:%d:::\n", p->ufld.fd_name, p->ufld.fd_encrypt, p->ufld.fd_uid);
}
}
----end----
