-----BEGIN PGP SIGNED MESSAGE-----
Hi --
On my Trustix 1.2 box, I noticed that creating a user with 'useradd' and
the '-p' option (which gives the new user a default password) does not hash
the password in /etc/shadow:
root@hogs /# cat /etc/redhat-release
Trustix Secure Linux release 1.2 (Anywhere)
root@hogs /# useradd -p h4x0r lordspankatron
root@hogs /# tail -2 /etc/shadow
johnnyuser:$1$JiUjVlWa$gnfXvKsHUxnjoIPGmkt/1.:11562:0:99999:7:-1:-1:2147482240
lordspankatron:h4x0r:11562:0:99999:7:::
This bug doesn't seem exploitible for two reasons:
1.) The user cannot log in with the supplied password because
MD5( password_supplied_at_login_prompt ) != unhashed_password_in_shadow_file
2.) /etc/shadow exists in mode 0400, so no one besides the super-user
can read it anyway.
BUT... never say never. I can't think of a practical environment where
this can be abused, and thus, I submit this report to the Vuln-Dev
wizards. =]
[This just in: I've confirmed that this works on Redhat 7.1 too.]
- Joe Testa
e-mail: joetestaat_private
web page: http://hogs.rit.edu/~joet
AIM: LordSpankatron
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.0
wl0EARECAB0FAjuL4xIWHGpvZXRlc3RhQGh1c2htYWlsLmNvbQAKCRA/wHT6vruBNA1x
AKCR3LpGyouIg7REDMwYSBsnsJsuTQCeMF8n3PccwTDT2nhZmz9hCBvzW0Q=
=Gurv
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Tue Aug 28 2001 - 12:48:19 PDT