[17140] in bugtraq
Re: OpenBSD xlock exploit
daemon@ATHENA.MIT.EDU (Riley Hassell)
Tue Oct 10 14:23:51 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.21.0010091018070.23170-100000@web0.speakeasy.net>
Date: Mon, 9 Oct 2000 10:30:12 -0700
Reply-To: Riley Hassell <riley@SPEAKEASY.NET>
From: Riley Hassell <riley@SPEAKEASY.NET>
X-To: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200010061942.e96Jg9D21217@cvs.openbsd.org>
What about the chsh,chfn passwd locking problem?
I have talked to several admins who have had the problem with the locked
passwd file. Yet there is no information online on how to fix it.
In this case it's just: rm -rf /etc/ptmp
OPENBSD chsh,chfn locking issue:
chfn,Control+Z to through it in the background, then kill the process
leaving the stale lock-file /etc/ptmp.
Now users cannot execute chsh,chfn.
>>>>> previous conversation >>>>>>>
From riley@speakeasy.net Tue Sep 19 05:55:33 2000 +0000
Status: R
X-Status: A
X-Keywords:
Return-Path: <deraadt@cvs.openbsd.org>
Delivered-To: riley@speakeasy.net
Received: (qmail 9638 invoked from network); 19 Sep 2000 05:55:32 -0000
Received: from unknown (HELO cvs.openbsd.org) (199.185.137.3)
by gonzo.speakeasy.net with SMTP; 19 Sep 2000 05:55:32 -0000
Received: from cvs.openbsd.org (IDENT:deraadt@localhost [127.0.0.1])
by cvs.openbsd.org (8.10.1/8.10.1) with ESMTP id e8J5tR902625
for <riley@speakeasy.net>; Mon, 18 Sep 2000 23:55:27 -0600 (MDT)
Message-Id: <200009190555.e8J5tR902625@cvs.openbsd.org>
To: Riley Hassell <riley@speakeasy.net>
Subject: Re: Denial of Service
In-reply-to: Your message of "Mon, 18 Sep 2000 22:13:21 PDT."
<Pine.LNX.4.21.0009182210420.5517-100000@web0.speakeasy.net>
Date: Mon, 18 Sep 2000 23:55:27 -0600
From: Theo de Raadt <deraadt@cvs.openbsd.org>
> I have found a small vulnerability in the chfn/chsh commands on OpenBSD
> 2.7 that allows someone with a local account to lock up the passwd file.
>
> Who should I notify to help get this fixed?
We already know about that. We don't know how to fix it.
>>>>>> End conversation >>>>>>>
I have yet to see a fix....
Also, maybe you guys shouldn't riddle all of your utils with getlogin().
;) xterm -ut doesn't write to the utmp
grep work's really well, "man grep"
Riley Hassell
Network Security Consultant
riley@speakeasy.org http://cyphernaut.net
On Fri, 6 Oct 2000, Theo de Raadt wrote:
> > why dont you tell people about shit like this then all this comotion can
> > be avoided.
>
> We did.
>
> > Like K2 said.. maybe a mention in the CHANGELOG
>
> You mean, like how http://www.openbsd.org/plus.html contains a big fat
> red marker about this issue, and has since the day we fixed the bug?
>
> Or how http://www.openbsd.org/security.html#27 has a big note pointing
> to the errata entry?
>
> Or how about how even http://www.openbsd.org/errata.html has a big block
> about it, and a link to the patch file.
>
> I am sorry, but you and K2 are out of line when you say that we didn't
> tell the world about this. We did.
>
> > or an advisory written,
>
> For xlock, we did not write an advisory, but it was pretty clear on
> bugtraq that it affected pretty much everyone. Why are you so
> surprised? Are you perhaps just out of touch?
>
> > instead of fixing a problem and not notifying other users of a
> > specific security vulnerability in particular application.
>
> When we know, or deeply suspect, that something is a security hole, we
> put patches out.
>
> However, when we fix a couple hundred format string bugs, we do not
> post a patch for everyone of them. Nor do we do all that much
> thinking about which ones are going to be exploitable, since we don't
> write exploits, and also tend to be rather busy with a whole bunch of
> other stuff too.
>
> You'll note that we were real sure the ftpd one was, and we did put a
> patch out for that. For talkd, we still don't know. We have a curses
> patch too for setuid/setgid programs that end up loading
> $HOME/.termlib when they shouldn't, since then they run into the
> hundreds of other potential bugs in curses. Those errata entry are
> going up within the hour. The chain of command did break down, I
> mean, I am even in Sweden and these errata should have gone out the
> hour that we became aware of potential things, considering fixes were
> written before we knew they were real security issues.
>
> We do not want to cry wolf.
>
> So, and I see this with sincere sarcasm, do you want me to post all of
> our patches for all of our format string fixes? I can, if you really
> want. Think about where bugtraq would head if we were to do that.
>
>
