Bugtraq mailing list archives

RedHat 6.1 /and others/ PAM

From: lcamtuf () AGS PL (Michal Zalewski)
Date: Sun, 30 Jan 2000 12:12:16 +0100


A vulnerability /feature?;)/ in PAM shipped with RedHat 6.1 allows
attacker to perform rapid brute-force password cracking attack without any
evidence in system logs.

Exploit attached.

Fix: do syslog() stuff before sleep() or change /bin/su behaviour in some
other way.

_______________________________________________________
Michal Zalewski * [lcamtuf () ags pl] <=> [AGS WAN SYSADM]
[dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl]
[+48 22 813 25 86] [+48 603 110 160] bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=

<HR NOSHADE>
<UL>
<LI>APPLICATION/X-SH attachment: stored
</UL>

Current thread:

Re: Future of s/key (Re: S/Key & OPIE Database Vulnerability) der Mouse (Jan 27)
- rzsz emails usage stats without user consent Kris Kennaway (Jan 29)
- Re: Future of s/key (Re: S/Key & OPIE Database Vulnerability) Greg A. Woods (Jan 29)
- RedHat 6.1 /and others/ PAM Michal Zalewski (Jan 30)
- Disable Parent Paths Robert Zachary (Jan 31)