Re: [VulnWatch] Sun passwd(1) Command Vulnerability

["Jay D. Dyson" <jdyson () bugtraq org>]

Chris,

The grammar of this alert has left me somewhat curious, and I was wondering if you could take a moment to clarify a few 
quick questions from a fan of the l0pht, such as myself.

The vulnerability assessment of this is listed as MEDIUM.  Also, the word may is used, instead of will.  So my 
questions are as follows:

1) Is a bug that yields local root privilages on a widespread commercial Unix only a medium risk?

2) Was atstake unable to verify whether or not this exploitable, hence the "may be exploitable", instead of "A local 
unprivileged user can gain unauthorized root privileges."

I often find the grammar used in security advisories and briefs to be confusing, and I'm forced to wonder if the 
wording is deliberate.  Historically, when security companies have made claims that they could not verify, they have 
been dealt with in a very public, and very humilitating fashion, so I rather suspect that meticulous care is put in the 
phrasing without making any brash unverified statements, that could cause such embarassment to said company.

Knowing you, and having the utmost respect for your views on full disclosure and the free exchange of information and 
ideas, I look forward to your response on this matter.

As I stated earlier, I have always been a big fan of The l0pht - and further that nc.exe has forever changed my life.

Incidently, to all the children out there reading the mailing lists - listening to The Crystal Method is acceptable 
behavior, but using crystal meth is not.

Chris, I look forward to your speedy reply to this email. 

On Fri, Mar 05, 2004 at 11:21:28AM -0500, Chris Wysopal wrote:
> O-088: Sun passwd(1) Command Vulnerability
>
> [Sun Alert ID: 57454]
>
> March 2, 2004 22:00 GMT
> --------------------------------------------------------------------------------
>
> PROBLEM: The passwd command computes the hash of a password typed at
> run-time or the hash of each password in a list. A vulnerability exists in
> this command.
>
> PLATFORM: Solaris 8, 9 (SPARC and x86 Platforms)
>
> DAMAGE:  A local unprivileged user may be able to gain unauthorized root
> privileges due to a security issue involving the passwd(1) command.
>
> SOLUTION: Install the security patch.
>
> --------------------------------------------------------------------------------
>
> VULNERABILITY
> ASSESSMENT: The risk is MEDIUM. A local unprivileged user may be able to
> gain unauthorized root privileges.
>
> --------------------------------------------------------------------------------
>
> LINKS:
>
>   CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-088.shtml
>
>   ORIGINAL BULLETIN: Sun Alert ID: 57454
> http://www.sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57454&zone_32=category%3Asecurity

-- 
- -Jay

   (    (                                                        _______
   ))   ))   .-"There's always time for a good cup of coffee"-.   >====<--.
 C|~~|C|~~| (>------ Jay D. Dyson -- jdyson () bugtraq org ------<) |    = |-'
  `--' `--'  `-------- Si latinam satis simiis doces, --------'  `------'
              `--- quandoque unus aliquid profundum dicet ---'
          

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html