Re: (forw) Re: bug in su (Slackware 3.4)

From: Julie Haugh (jfhat_private)
Date: Mon Mar 23 1998 - 09:40:26 PST

Next message: Thomas H. Ptacek: "SNI-27: Vulnerabilities in Sun NIS+"

Previous message: martin Dolphin: "Re: RAS 'save password' problems..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Troy,

Thanks for the heads up.

I imagine that this same sort of problem exists for all of the
programs within Shadow which perform logging to a file.  I can't
think of what other programs perform logging and a quick grep
of the version I have here on snowball only shows the su log file
as being opened for write.

In the process of snooping around, it looks like "usermod" needs
to have some work done where it updates the login.defs file.

In general I think I need to get ahold of Marek, et alia and add
some explicit umask (0277) calls to the commands to close whatever
umask related exploits there are.

-- Julie.

Quoting Troy A. Bollinger (troyat_private):
> FYI -
> Bugtraq is discussing a bug in your shadow package...
>
> ----- Forwarded message from Martin Schulze <joeyat_private> -----
>
> X-Mailer: Mutt 0.88
> Date:         Sun, 22 Mar 1998 19:28:08 +0100
> Reply-To: Martin Schulze <joeyat_private>
> From: Martin Schulze <joeyat_private>
> Subject:      Re: bug in su (Slackware 3.4)
> To: BUGTRAQat_private
>
> On Sun, Mar 15, 1998 at 06:32:26PM +0100, Peter van Dijk wrote:
> > If sulog file logging is enabled in /etc/login.defs (shadowing installed!)
> > and su has never been used, a user can set his umask to 0 and then run su.
> > /var/log/sulog will then be created mode 666, which means user can use su
> > to try lots of passwords and then, when done, do something like
> > cat /dev/null > /var/log/sulog
> > and clear out the logfile.
> > Same goes for sudo.
> > Note: everything will still be logged in syslog (unless disabled!)
>
> I have investigated the problem and it turned out that it exists in
> the shadow package from Julianne Frances Haugh, we're using the
> snapshot 970616.  This probably means that several recent Linux
> distributions will be affected, not only Slackware.

--
Julianne Frances Haugh
RS/6000 Security Development, C2 Tech Lead        "Resistance is futile!
Bldg 905/2F002, 512-823-8817 (Tie 793)                You will be evaluated!"
I-net: jfhat_private                                 -- C2 of Borg

Next message: Thomas H. Ptacek: "SNI-27: Vulnerabilities in Sun NIS+"
Previous message: martin Dolphin: "Re: RAS 'save password' problems..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:46:48 PDT