\'useradd -p\' problems.

[joetesta () hushmail com]

-----BEGIN PGP SIGNED MESSAGE-----

Hi --

    On my Trustix 1.2 box, I noticed that creating a user with 'useradd' and
the '-p' option (which gives the new user a default password) does not hash
the password in /etc/shadow:


root@hogs /# cat /etc/redhat-release
Trustix Secure Linux release 1.2 (Anywhere)
root@hogs /# useradd -p h4x0r lordspankatron
root@hogs /# tail -2 /etc/shadow
johnnyuser:$1$JiUjVlWa$gnfXvKsHUxnjoIPGmkt/1.:11562:0:99999:7:-1:-1:2147482240
lordspankatron:h4x0r:11562:0:99999:7:::



This bug doesn't seem exploitible for two reasons:

    1.)  The user cannot log in with the supplied password because
MD5( password_supplied_at_login_prompt ) != unhashed_password_in_shadow_file
    2.)  /etc/shadow exists in mode 0400, so no one besides the super-user
can read it anyway.


    BUT... never say never.  I can't think of a practical environment where
this can be abused, and thus, I submit this report to the Vuln-Dev
wizards.  =]
    [This just in:  I've confirmed that this works on Redhat 7.1 too.]



    - Joe Testa

e-mail:   joetesta () hushmail com
web page: http://hogs.rit.edu/~joet
AIM:      LordSpankatron


-----BEGIN PGP SIGNATURE-----
Version: Hush 2.0

wl0EARECAB0FAjuL4xIWHGpvZXRlc3RhQGh1c2htYWlsLmNvbQAKCRA/wHT6vruBNA1x
AKCR3LpGyouIg7REDMwYSBsnsJsuTQCeMF8n3PccwTDT2nhZmz9hCBvzW0Q=
=Gurv
-----END PGP SIGNATURE-----