Date: Wed, 9 Jun 1999 14:07:27 -0700 From: Tani Hosokawa To: BUGTRAQ@netspace.org Subject: vulnerability in su/PAM in redhat I was talking to some guy on IRC (st2) and he asked me to mention to bugtraq (because he's not on the list) that the PAMified su that comes with redhat has a slight hole. When you try to su to root (for example) if it's successful, immediately gives you a shell prompt. Otherwise, it delays a full second, then logs an authentication failure to syslog. If you hit break in that second, no error, plus you know that the password was bad, so you can brute force root's password. I wrote a little threaded Perl prog that tested it (with a 0.25 second delay before the break) to attack my own password (with my password in the wordlist) and it seemed to work just fine, even with my own password hundreds of words down in the list, so it seems pretty predictable, as long as the server's under very little load (else you get a delay no matter what, and it screws the whole process by giving false negatives). --- tani hosokawa river styx internet ------------------------------------------------------------------------- Date: Fri, 11 Jun 1999 11:43:59 -0700 From: Tani Hosokawa To: BUGTRAQ@netspace.org Subject: Re: vulnerability in su/PAM in redhat Well, I just checked it out on a fairly vanilla RH6.0 box, and it exhibited the same behaviour. This is only a bug with PAM-enabled machines, Slackware, etc. do not have this problem. Also, it exhibits this behaviour with or without shadowed passwords (I pwunconv'd and tried it just now, same thing happened). I think it's a problem with one of the PAM modules. On Fri, 11 Jun 1999, C.J. Oster wrote: > Not if you have the latest shadow package installed. If you type in an > incorrect password, you get an immediate 'Sorry.' This may be correct for > earlier versions of the shadow suite, but I don't remember and I only have > the newest one installed. Latest version is at > ftp://ftp.ists.pwr.wroc.pl/pub/linux/shadow/ > >I was talking to some guy on IRC (st2) and he asked me to mention to > >bugtraq (because he's not on the list) that the PAMified su that comes > >with redhat has a slight hole. When you try to su to root (for example) if > >it's successful, immediately gives you a shell prompt. Otherwise, it > >delays a full second, then logs an authentication failure to syslog. If > >you hit break in that second, no error, plus you know that the password > >was bad, so you can brute force root's password. I wrote a little > >threaded Perl prog that tested it (with a 0.25 second delay before the > >break) to attack my own password (with my password in the wordlist) and it > >seemed to work just fine, even with my own password hundreds of words down > >in the list, so it seems pretty predictable, as long as the server's under > >very little load (else you get a delay no matter what, and it screws the > >whole process by giving false negatives). --- tani hosokawa river styx internet ------------------------------------------------------------------------- Date: Fri, 11 Jun 1999 12:38:02 +0000 From: Javi Polo To: BUGTRAQ@netspace.org Subject: Re: vulnerability in su/PAM in redhat On Wed, 9 Jun 1999, Tani Hosokawa wrote: > with redhat has a slight hole. When you try to su to root (for example) if > it's successful, immediately gives you a shell prompt. Otherwise, it > delays a full second, then logs an authentication failure to syslog. If > you hit break in that second, no error, plus you know that the password > was bad, so you can brute force root's password. I wrote a little Checked .... Confirmed for su that comes with sh-utils-1.16-14 and using pam-0.64-3 Ta luegos ...... Oh my God! They killed Kenny!!!!!! Javi Polo ;) Me puedes encontrar en fido en 2:347/13.4 yo también 3000ya.com AUTOPISTA NO!!!!!!!!!!! No a l'autopista de llevant