Bugtraq mailing list archives

Re: passwd command in AIX 4.1.4

From: jadestar () NETCOM COM (JaDe)
Date: Mon, 5 Feb 1996 18:06:11 -0800


The passwd command under AIX 4.1.4 does not ask for the old password if
you are root, even if you are changing root's password.  To me this is a
serious security flaw, but I haven't had any satisfaction from IBM or my
suppliers (that said they would pass on my opinion).

Am I alone in thinking this is a serious problem?




  You may not be "alone" but you may not be in very good
  company.


  It is only a security problem to someone who leaves a
        root shell logged in and unattended.  If you do this than a
  creative cracker will scatter some suid shell's and trojan
  suid applications (something that looks like its *supposed to be
  suid*.  Then he'll look for tripwire and work on replacing it with
  a hacked version that will ignore his backdoors.

  Changing root password isn't satisfactory to a cracker -- you'll
  know that the gig is up very soon.

  About the only real danger I see in it is some sort of denial of
  service script where root is tricked into running an expect script
  which forces a change to root's password.  This isn't very subtle
  -- it would be much more clever to use this spoof on random
  user id's (by linking into one of root's binaries or scripts).  This
  would have the insidious effect of making it appear that users were
  forgetting their passwords more frequently than usual -- or that
  the shell accounts were being cracked all over the place.  This would
  particularly unpleasant if it was the passwd command itself that
  the trojan linked into.

  In either of these scenarios the real problem was in root's practices.
  This minor "failure" of passwd doesn't contribute to any exploit of
  root -- it just removes a minor inconvenience.  If the cracker is
  at a root shell he can use any call to crypt() to create a password
  and vi, emacs, awk, sed, perl or any similar utility to patch it
  directly into the /etc/passwd file.


  If you can imagine a scenario where AIX's behaviior is a
  substantive threat, please let me, let us all, know.

Current thread:

Re: bind() Security Problems Richard Black (Feb 01)
- Re: bind() Security Problems dsiebert () icaen uiowa edu (Feb 01)
  - Re: bind() Security Problems General Scirocco (Feb 01)
    - Re: bind() Security Problems Baba Z Buehler (Feb 05)
    - passwd command in AIX 4.1.4 Dave Roberts (Feb 05)
    - Re: passwd command in AIX 4.1.4 Chris Burris (Feb 05)
    - Re: passwd command in AIX 4.1.4 JaDe (Feb 05)
    - CGI security: Escape newlines. Jennifer Myers (Feb 05)
    - Re: CGI security: Escape newlines. Dave Andersen (Feb 05)
    - Re: CGI security: Escape newlines. Fred Cohen (Feb 06)
    - [Fwd: HTTPd 1.5a Security Hole!!! (fwd)] Rogue Agent (Feb 06)
  - abuse Red Hat 2.1 security hole David J Meltzer (Feb 02)
  - resizecons Red Hat 2.1 security hole David J Meltzer (Feb 02)
- Re: bind() Security Problems Casper Dik (Feb 02)
- <Possible follow-ups>
- Re: bind() Security Problems Alan Cox (Feb 01)