[pts/11]:~/work/dev$
Always asks for password regardless of pipe. Anything passed to su via pipe
is used as if it's an arg to -c option.
- Original Message -
From: "Markus Dobel" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: 01 February 2000, Tuesday 14:24
S
On Sun, 30 Jan 2000, you wrote:
>
> A vulnerability /feature?;)/ in PAM shipped with RedHat 6.1 allows
> attacker to perform rapid brute-force password cracking attack without any
> evidence in system logs.
>
> Exploit attached.
>
> Fix: do syslog() stuff before sleep() or change /bin/su behaviour
Maybe I should restate. The sploit as it stands didn't work, and even
using expect, pty, etc didn't work. Still showing up in syslog on RH 6.1,
can someone else confirm/deny?
- Simple Nomad - No rest for the Wicca'd -
- [EMAIL PROTECTED]-www.nmrc.org
Simple Nomad wrote:
>
> Trying to "echo PASSWORD | su ACCOUNT" will elicit a response of
> "standard in must be a tty..." therefore the sploit would stop on the
> first word in the list as if it was the correct password. Therefore I fail
> to see the exact sploit here. I tried this on a stock RH 6
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Mon, 31 Jan 2000, Simple Nomad wrote:
> Trying to "echo PASSWORD | su ACCOUNT" will elicit a response of
> "standard in must be a tty..." therefore the sploit would stop on the
> first word in the list as if it was the correct password. Therefore
Trying to "echo PASSWORD | su ACCOUNT" will elicit a response of
"standard in must be a tty..." therefore the sploit would stop on the
first word in the list as if it was the correct password. Therefore I fail
to see the exact sploit here. I tried this on a stock RH 6.1 machine.
- Simple
A vulnerability /feature?;)/ in PAM shipped with RedHat 6.1 allows
attacker to perform rapid brute-force password cracking attack without any
evidence in system logs.
Exploit attached.
Fix: do syslog() stuff before sleep() or change /bin/su behaviour in some
other way.
_
