I was talking to some guy on IRC (st2) and he asked me to mention to bugtraq (because he's not on the list) that the PAMified su that comes with redhat has a slight hole. When you try to su to root (for example) if it's successful, immediately gives you a shell prompt. Otherwise, it delays a full second, then logs an authentication failure to syslog. If you hit break in that second, no error, plus you know that the password was bad, so you can brute force root's password. I wrote a little threaded Perl prog that tested it (with a 0.25 second delay before the break) to attack my own password (with my password in the wordlist) and it seemed to work just fine, even with my own password hundreds of words down in the list, so it seems pretty predictable, as long as the server's under very little load (else you get a delay no matter what, and it screws the whole process by giving false negatives). --- tani hosokawa river styx internet
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:48:49 PDT