-----BEGIN PGP SIGNED MESSAGE----- Hi -- On my Trustix 1.2 box, I noticed that creating a user with 'useradd' and the '-p' option (which gives the new user a default password) does not hash the password in /etc/shadow: root@hogs /# cat /etc/redhat-release Trustix Secure Linux release 1.2 (Anywhere) root@hogs /# useradd -p h4x0r lordspankatron root@hogs /# tail -2 /etc/shadow johnnyuser:$1$JiUjVlWa$gnfXvKsHUxnjoIPGmkt/1.:11562:0:99999:7:-1:-1:2147482240 lordspankatron:h4x0r:11562:0:99999:7::: This bug doesn't seem exploitible for two reasons: 1.) The user cannot log in with the supplied password because MD5( password_supplied_at_login_prompt ) != unhashed_password_in_shadow_file 2.) /etc/shadow exists in mode 0400, so no one besides the super-user can read it anyway. BUT... never say never. I can't think of a practical environment where this can be abused, and thus, I submit this report to the Vuln-Dev wizards. =] [This just in: I've confirmed that this works on Redhat 7.1 too.] - Joe Testa e-mail: joetestaat_private web page: http://hogs.rit.edu/~joet AIM: LordSpankatron -----BEGIN PGP SIGNATURE----- Version: Hush 2.0 wl0EARECAB0FAjuL4xIWHGpvZXRlc3RhQGh1c2htYWlsLmNvbQAKCRA/wHT6vruBNA1x AKCR3LpGyouIg7REDMwYSBsnsJsuTQCeMF8n3PccwTDT2nhZmz9hCBvzW0Q= =Gurv -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Tue Aug 28 2001 - 12:48:19 PDT