The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Zardoz 'Security Digest' - Archives (1989 - 1991)
DOCUMENT: Zardoz 'Security Digest' V1 #5 not known (1 file, 1497 bytes)
SOURCE: http://securitydigest.org/exec/display?f=zardoz/archive/105.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT


Security Digest Volume 1 Issue 5

subject(s):

            Serious security problem with yppasswdd
            ulimit 0;passwd trashes /etc/passwd under System V/386
            Re: do not run fingerd as root

------------------------------------------------------------------------

Date: Wed, 1 Feb 89 16:09:42 PST
From: neil (Neil Gorsuch)
Subject: Serious security problem with yppasswdd

[This was posted in the usenet news group comp.sys.sun - neil]

[[ I saw this on Sun-Nets and decided that many people here would also be
interested in seeing it.  I changed the subject line to more accurately
reflect the message's content.  --wnl ]]

Turn off your unpatched yppasswdd servers immediately!!!  Anyone on the
internet can convince these to create a passwordless root account.  I will
post the method in two weeks time unless strongly urged not to do so.
(This gives everyone plenty of time to get the SUN patch tape, or turn
off yppasswdd.  I do believe though in giving people a chance to take
action before compromising whatever measure of security they have left.)

        Viktor.

[[ This bug apparently exists in all known yp implementations:  3.x, 4.0,
4.0.1, and even implementations that aren't Sun's.  Our system manager
called Sun for a patch tape, but I haven't heard yet if they even returned
her call or acknowledged that such a tape exists.  --wnl ]]

------------------------------------------------------------------------

Date: 31 Jan 89 20:39:38 CST (Tue)
From: uunet!sugar!karl (Karl Lehenbauer)
Subject: ulimit 0;passwd trashes /etc/passwd under System V/386

Any user who can get to a shell can kill /etc/passwd on Bell Technologies
System V/386 3.0 and Microport 3.0 and probably many, many others.
I read about this in-the-clear in comp.unix.microport and, after suitably
backing up, tried it and it worked, from regular user privilege levels.

ulimit 0
passwd

After entering a new password, /etc/passwd will have a length of zero.

Before trying this, think it through and be sure you can get back up.
You won't be able to 'su' if it works, so if you're not already root
on a terminal or something, you'll have to do a floppy boot or *something*
to restore /etc/passwd.  I actually screwed up on this, but was able to
get in over the in-house LAN and restore it.

------------------------------------------------------------------------

Date: Mon, 30 Jan 89 20:18:39 -0500
From: uunet!mentor.cc.purdue.edu!mjs (Mike Spitzer)
Subject: Re: do not run fingerd as root

> I'd call this a work-around. The solution is fixing finger so it
> checks that .plan and .project are regular files. I did this at my

Unix allows you to create hard links to files that you don't own and
can't read.  So, if you:

        cd ~
        ln ../someuser/unreadable-file .plan
        finger me@localhost

You'll still get the file if fingerd is running as root.  The .plan is
a still a normal file so the restrictions suggested above won't stop
you.  You'll will be able to read any file in a readable directory on
the same filesystem as your home directory.

END OF DOCUMENT