[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Linux UID/GID 'Feature' (fwd)
Wierd...
psychodad:~> cat /etc/passwd | grep test
test::#507:Test:/home/test:/bin/bash
psychodad:~> su test
su: user test does not exist
psychodad:~>
Anything I did wrongly?
N.
On Sun, 11 May 1997, Ariel Biener wrote:
>
>
> This is my exprience on a Slackware 3.1.0 with everything on the newest
> level. Moreover, it is running with shadow passwords, and as I said
> already in the attached mail, I believe that the recent Linux releases
> should have come with shadow passwords by default.
>
> --Ariel
>
> +---------------------------------------------------------+
> | Ariel Biener |
> | e-mail: ariel@post.tau.ac.il Work ph: 03-6406086 |
> +---------------------------------------------------------+
>
> ---------- Forwarded message ----------
> Date: Sun, 11 May 1997 16:43:24 +0300 (IDT)
> From: Ariel Biener <ariel@fireball.tau.ac.il>
> To: David Phillips <phillips@PCISYS.NET>
> Cc: BUGTRAQ@NETSPACE.ORG
> Subject: Re: Linux UID/GID 'Feature'
>
> On Sat, 10 May 1997, David Phillips wrote:
>
> > I mailed this to a friend as a sanity check:
> >
> >While trying to make a user entry in the /etc/passwd file unrecognized
> >so I could demonstrate the use of valid UIDs, I placed a # in front of the UID.
> >My theory was that this would make it an invalid number and cause Linux
> >to give an authentication failure. (This worked as expect on SunOS 4.1.4)
> >But then we tried to su to that user and were rewarded by being dumped
> >to UID 0. It didn't recognize the UID so it defaulted to 0. Cool huh?
> >
> >It seems ideal for a hard to find, back door but given that you must be root
> >to write to the passwd file, I have not found a better way to really exploit it.
> >My friend replied:
> >
> >I did test the problem using various remote logins, such as rlogin,
> >rsh, ftp, telnet, exec, ssh and console login. Trying to rlogin, rsh,
> >rexec or telnet failed with an authentication failure. But, su, ftp, ssh
> >and console login all succeeded and gave UID 0. A small stumbling block,
> >but still useful for a backdoor. I'll keep checking it tho'.
> >
> >He also noted that it works the same for GID. We have not taken the time
> >to research the problem fully but have tested it on Red Hat 4.1(2.0.27/2.0.30)
>
> Hi,
>
>
> While that may be true on RedHat-4.1, it's not true for Linux running
> the latest shadow package. I have tested all the above, in both #UID and #GID
> cases, and what happens is that if you put a # in any of those fields in the
> passwd entry, the user is ignored(no such user).
> Shadow passwords for Linux exist for quite some time now, and have
> become the default in operating systems like BSDi/Solaris/AIX, and IMHO,
> the latest Linux releases should have been packaged with shadow passwording
> by default.
>
> Regards,
>
> --Ariel
>
>
> >
> >
> >David Phillips, TASC
> > phillips@pcisys.net
> >
>
> +---------------------------------------------------------+
> | Ariel Biener |
> | e-mail: ariel@post.tau.ac.il Work ph: 03-6406086 |
> +---------------------------------------------------------+
>
>
>
--
Nir Soffer AKA ScorpioS, scorpios@cs.huji.ac.il .
http://www.cs.huji.ac.il/~scorpios/
Justice, n.:
A decision in your favor.
Follow-Ups:
References: