On Tue, Jun 26, 2001 at 11:08:04AM +0200, Joachim Blaabjerg wrote: > > Appending to /etc/passwd has nothing to do with pam. > > No, not directly, but if your `su` uses PAM to authenticate users and PAM > reacts to the spaces in the beginning of the passwd file, it surely has > something to do with PAM. To check whether `su` uses PAM or not, try "ldd > `which su`|grep libpam" The fun thing, of course, is that it doesn't matter about the specifics of how 'su' reacts when presented with this situation. This just happened to be a very simple and provocative exploit. The attacked target doesn't have to be /etc/passwd. This exploit could be re-written trivially to use other files -- think 'cron', /root/.bash_profile, /etc/bashrc, /etc/Muttrc, etc. All with at least one, probably more, lines under control of an attacker. Regardless of how anyone's 'su' reacts, upgrading samba to a fixed version is very important. Seth Arnold
This archive was generated by hypermail 2b30 : Thu Jun 28 2001 - 13:50:07 PDT