[17628] in bugtraq
Re: numerous free/paid account systems are vulnerable to
daemon@ATHENA.MIT.EDU (Jeff Bachtel)
Mon Nov 13 12:32:53 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20001112205306.U5027@cepheid.nu>
Date: Sun, 12 Nov 2000 20:53:06 -0600
Reply-To: sebastion@IRELANDMAIL.COM
From: Jeff Bachtel <sebastion@IRELANDMAIL.COM>
X-To: Michal Zalewski <lcamtuf@TPI.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.21.0011101321440.21368-100000@nimue.tpi.pl>; from
"Michal Zalewski" on Fri, Nov 10, 2000 at 03:37:17PM
> 1) specific Unix system have to allow the attacker to create his account
> automatically (usually via www - both in paid and free ISP
> installations),
Starting off with this, I know of no distribution (of OpenBSD, of
RedHat, of Debian etc.) that has any sort of automatic account
generation built in. This is a function of the application software
used to create the user, and therefore this advisory should be
specifically targeted at applications broken in this regard.
Additionally, the useradd tool on OpenBSD is not vulnerable, if the
proper syntax is used.
For automatic account creation, the command that should be used to
create a user and the group to go with it (according to manpage for
useradd) would be:
useradd -g=uid kmem
To add a user kmem (again, assuming the auto generation application is
dumb enough to accept something like that).
The user kmem will be created, and assigned to a gid equal to his uid,
however no line will be added to /etc/groups, because a group of that
name already exists.
Improper use of useradd is, again, a function of the web account
interface, and is beyond the scope of a general unix vulnerability.
jeff
