[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Linux UID/GID 'Feature' (fwd)



On Sun, 11 May 1997, Nir Soffer wrote:

> 
> 
> 
> Wierd...
> 
> psychodad:~> cat /etc/passwd | grep test
> test::#507:Test:/home/test:/bin/bash
> psychodad:~> su test
> su: user test does not exist
> psychodad:~>
> 
> Anything I did wrongly?
> 


 Did you read my e-mail at all ??? Please bother reading all the e-mail,
and see what was said at BugTraq, and what I answered. Thus you'll see
that I too said that I don't get this behaviour on my Linux.

--Ariel

--Ariel
> N.
> On Sun, 11 May 1997, Ariel Biener wrote:
> 
> > 
> > 
> > This is my exprience on a Slackware 3.1.0 with everything on the newest
> > level. Moreover, it is running with shadow passwords, and as I said
> > already in the attached mail, I believe that the recent Linux releases
> > should have come with shadow passwords by default.
> > 
> > --Ariel
> > 
> >  +---------------------------------------------------------+
> >  | Ariel Biener                                            |
> >  | e-mail: ariel@post.tau.ac.il        Work ph: 03-6406086 |
> >  +---------------------------------------------------------+
> > 
> > ---------- Forwarded message ----------
> > Date: Sun, 11 May 1997 16:43:24 +0300 (IDT)
> > From: Ariel Biener <ariel@fireball.tau.ac.il>
> > To: David Phillips <phillips@PCISYS.NET>
> > Cc: BUGTRAQ@NETSPACE.ORG
> > Subject: Re: Linux UID/GID 'Feature'
> > 
> > On Sat, 10 May 1997, David Phillips wrote:
> > 
> > > I mailed this to a friend as a sanity check:
> > > 
> > >While trying to make a user entry in the /etc/passwd file unrecognized
> > >so I could demonstrate the use of valid UIDs, I placed a # in front of the UID.
> > >My theory was that this would make it an invalid number and cause Linux
> > >to give an authentication failure.  (This worked as expect on SunOS 4.1.4)
> > >But then we tried to su to that user and were rewarded by being dumped
> > >to UID 0.  It didn't recognize the UID so it defaulted to 0.  Cool huh?
> > > 
> > >It seems ideal for a hard to find, back door but given that you must be root
> > >to write to the passwd file, I have not found a better way to really exploit it.
> > >My friend replied:
> > >
> > >I did test the problem using various remote logins, such as rlogin,
> > >rsh, ftp, telnet, exec, ssh and console login. Trying to rlogin, rsh,
> > >rexec or telnet failed with an authentication failure. But, su, ftp, ssh
> > >and console login all succeeded and gave UID 0. A small stumbling block,
> > >but still useful for a backdoor. I'll keep checking it tho'.
> > >
> > >He also noted that it works the same for GID.  We have not taken the time
> > >to research the problem fully but have tested it on Red Hat 4.1(2.0.27/2.0.30)
> > 
> > Hi,
> > 
> > 
> > While that may be true on RedHat-4.1, it's not true for Linux running
> > the latest shadow package. I have tested all the above, in both #UID and #GID
> > cases, and what happens is that if you put a # in any of those fields in the
> > passwd entry, the user is ignored(no such user). 
> > Shadow passwords for Linux exist for quite some time now, and have
> > become the default in operating systems like BSDi/Solaris/AIX, and IMHO,
> > the latest Linux releases should have been packaged with shadow passwording 
> > by default.
> > 
> > Regards,
> > 
> > --Ariel
> > 
> > 
> > >
> > > 
> > >David Phillips, TASC
> > > phillips@pcisys.net
> > > 
> > 
> >  +---------------------------------------------------------+
> >  | Ariel Biener                                            |
> >  | e-mail: ariel@post.tau.ac.il        Work ph: 03-6406086 |
> >  +---------------------------------------------------------+
> > 
> > 
> > 
> 
> --
> Nir Soffer AKA ScorpioS, scorpios@cs.huji.ac.il .
>  http://www.cs.huji.ac.il/~scorpios/
> Justice, n.:
>         A decision in your favor.
> 
> 

   +---------------------------------------------------------+
   | Ariel Biener                                            |
   | e-mail: ariel@post.tau.ac.il        Work ph: 03-6406086 |
   +---------------------------------------------------------+


References: