su+pam.redhat.txt

`Date: Wed, 9 Jun 1999 14:07:27 -0700  
From: Tani Hosokawa <[email protected]>  
To: [email protected]  
Subject: vulnerability in su/PAM in redhat  
  
I was talking to some guy on IRC (st2) and he asked me to mention to  
bugtraq (because he's not on the list) that the PAMified su that comes  
with redhat has a slight hole. When you try to su to root (for example) if  
it's successful, immediately gives you a shell prompt. Otherwise, it  
delays a full second, then logs an authentication failure to syslog. If  
you hit break in that second, no error, plus you know that the password  
was bad, so you can brute force root's password. I wrote a little  
threaded Perl prog that tested it (with a 0.25 second delay before the  
break) to attack my own password (with my password in the wordlist) and it  
seemed to work just fine, even with my own password hundreds of words down  
in the list, so it seems pretty predictable, as long as the server's under  
very little load (else you get a delay no matter what, and it screws the  
whole process by giving false negatives).  
  
---  
tani hosokawa  
river styx internet  
  
-------------------------------------------------------------------------  
  
Date: Fri, 11 Jun 1999 11:43:59 -0700  
From: Tani Hosokawa <[email protected]>  
To: [email protected]  
Subject: Re: vulnerability in su/PAM in redhat  
  
Well, I just checked it out on a fairly vanilla RH6.0 box, and it  
exhibited the same behaviour. This is only a bug with PAM-enabled  
machines, Slackware, etc. do not have this problem. Also, it exhibits  
this behaviour with or without shadowed passwords (I pwunconv'd and tried  
it just now, same thing happened). I think it's a problem with one of the  
PAM modules.  
  
On Fri, 11 Jun 1999, C.J. Oster wrote:  
  
> Not if you have the latest shadow package installed. If you type in an  
> incorrect password, you get an immediate 'Sorry.' This may be correct for  
> earlier versions of the shadow suite, but I don't remember and I only have  
> the newest one installed. Latest version is at  
> ftp://ftp.ists.pwr.wroc.pl/pub/linux/shadow/  
> >I was talking to some guy on IRC (st2) and he asked me to mention to  
> >bugtraq (because he's not on the list) that the PAMified su that comes  
> >with redhat has a slight hole. When you try to su to root (for example) if  
> >it's successful, immediately gives you a shell prompt. Otherwise, it  
> >delays a full second, then logs an authentication failure to syslog. If  
> >you hit break in that second, no error, plus you know that the password  
> >was bad, so you can brute force root's password. I wrote a little  
> >threaded Perl prog that tested it (with a 0.25 second delay before the  
> >break) to attack my own password (with my password in the wordlist) and it  
> >seemed to work just fine, even with my own password hundreds of words down  
> >in the list, so it seems pretty predictable, as long as the server's under  
> >very little load (else you get a delay no matter what, and it screws the  
> >whole process by giving false negatives).  
  
---  
tani hosokawa  
river styx internet  
  
-------------------------------------------------------------------------  
  
Date: Fri, 11 Jun 1999 12:38:02 +0000  
From: Javi Polo <[email protected]>  
To: [email protected]  
Subject: Re: vulnerability in su/PAM in redhat  
  
On Wed, 9 Jun 1999, Tani Hosokawa wrote:  
  
> with redhat has a slight hole. When you try to su to root (for example) if  
> it's successful, immediately gives you a shell prompt. Otherwise, it  
> delays a full second, then logs an authentication failure to syslog. If  
> you hit break in that second, no error, plus you know that the password  
> was bad, so you can brute force root's password. I wrote a little  
  
Checked ....  
Confirmed for su that comes with  
sh-utils-1.16-14  
and using  
pam-0.64-3  
  
Ta luegos ...... Oh my God! They killed Kenny!!!!!!  
Javi Polo ;)  
Me puedes encontrar en fido en 2:347/13.4 yo también 3000ya.com  
AUTOPISTA NO!!!!!!!!!!! No a l'autopista de llevant  
  
`