[2511] in bugtraq
Re: passwd command in AIX 4.1.4
daemon@ATHENA.MIT.EDU (JaDe)
Mon Feb 5 23:18:47 1996
Date: Mon, 5 Feb 1996 18:06:11 -0800
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: JaDe <jadestar@NETCOM.COM>
X-To: BUGTRAQ@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <Pine.A32.3.91.960205174125.43798A-100000@haddock.saa-cons.co.uk>
from "Dave Roberts" at Feb 5, 96 05:56:01 pm
>
> The passwd command under AIX 4.1.4 does not ask for the old password if
> you are root, even if you are changing root's password. To me this is a
> serious security flaw, but I haven't had any satisfaction from IBM or my
> suppliers (that said they would pass on my opinion).
>
> Am I alone in thinking this is a serious problem?
You may not be "alone" but you may not be in very good
company.
It is only a security problem to someone who leaves a
root shell logged in and unattended. If you do this than a
creative cracker will scatter some suid shell's and trojan
suid applications (something that looks like its *supposed to be
suid*. Then he'll look for tripwire and work on replacing it with
a hacked version that will ignore his backdoors.
Changing root password isn't satisfactory to a cracker -- you'll
know that the gig is up very soon.
About the only real danger I see in it is some sort of denial of
service script where root is tricked into running an expect script
which forces a change to root's password. This isn't very subtle
-- it would be much more clever to use this spoof on random
user id's (by linking into one of root's binaries or scripts). This
would have the insidious effect of making it appear that users were
forgetting their passwords more frequently than usual -- or that
the shell accounts were being cracked all over the place. This would
particularly unpleasant if it was the passwd command itself that
the trojan linked into.
In either of these scenarios the real problem was in root's practices.
This minor "failure" of passwd doesn't contribute to any exploit of
root -- it just removes a minor inconvenience. If the cracker is
at a root shell he can use any call to crypt() to create a password
and vi, emacs, awk, sed, perl or any similar utility to patch it
directly into the /etc/passwd file.
If you can imagine a scenario where AIX's behaviior is a
substantive threat, please let me, let us all, know.
