Full Disclosure mailing list archives
Re: Leveraging pam_env to steal DSA keys
From: Peter van Dijk <peter () 7bits nl>
Date: Tue, 31 May 2011 05:55:27 +0200
On May 31, 2011, at 12:48 AM, paul.szabo () sydney edu au wrote:
... http://7bits.nl/projects/pamenv-dsakeys/pamenv-dsakeys.htmlSeems to me that CVE-2010-3435 may allow users to determine also: password in /etc/lilo.conf secret in /etc/bind/named.conf /etc/bind/rndc.conf /etc/bind/rndc.key bits of /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_rsa_key which should all be protected.
- lilo.conf commonly has whitespace around '=', pam_env does not tolerate that - bind configs don't even use '=' and are often indented, pam_env does not tolerate indents - RSA appears to be uninteresting in that the amount of bits we can lift is not sufficient to make an attack feasible (this is in the article!) - the DSA host key certainly is a target If I understand correctly, Debian (and, I presume, Ubuntu) put this bug on low priority precisely because there were very few practical applications that they knew of. Cheers, Peter _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Leveraging pam_env to steal DSA keys Peter van Dijk (May 30)
- Re: Leveraging pam_env to steal DSA keys paul . szabo (May 30)
- Re: Leveraging pam_env to steal DSA keys Peter van Dijk (May 30)
- Re: Leveraging pam_env to steal DSA keys paul . szabo (May 31)
- Re: Leveraging pam_env to steal DSA keys Peter van Dijk (May 30)
- Re: Leveraging pam_env to steal DSA keys paul . szabo (May 30)