Date: Wed, 9 Jun 1999 14:07:27 -0700
From: Tani Hosokawa <unknown@RIVERSTYX.NET>
To: BUGTRAQ@netspace.org
Subject: vulnerability in su/PAM in redhat

I was talking to some guy on IRC (st2) and he asked me to mention to
bugtraq (because he's not on the list) that the PAMified su that comes
with redhat has a slight hole. When you try to su to root (for example) if
it's successful, immediately gives you a shell prompt.  Otherwise, it
delays a full second, then logs an authentication failure to syslog.  If
you hit break in that second, no error, plus you know that the password
was bad, so you can brute force root's password.  I wrote a little
threaded Perl prog that tested it (with a 0.25 second delay before the
break) to attack my own password (with my password in the wordlist) and it
seemed to work just fine, even with my own password hundreds of words down
in the list, so it seems pretty predictable, as long as the server's under
very little load (else you get a delay no matter what, and it screws the
whole process by giving false negatives).

---
tani hosokawa
river styx internet

-------------------------------------------------------------------------

Date: Fri, 11 Jun 1999 11:43:59 -0700
From: Tani Hosokawa <unknown@RIVERSTYX.NET>
To: BUGTRAQ@netspace.org
Subject: Re: vulnerability in su/PAM in redhat

Well, I just checked it out on a fairly vanilla RH6.0 box, and it
exhibited the same behaviour.  This is only a bug with PAM-enabled
machines, Slackware, etc. do not have this problem.  Also, it exhibits
this behaviour with or without shadowed passwords (I pwunconv'd and tried
it just now, same thing happened).  I think it's a problem with one of the
PAM modules.

On Fri, 11 Jun 1999, C.J. Oster wrote:

> Not if you have the latest shadow package installed.  If you type in an
> incorrect password, you get an immediate 'Sorry.'  This may be correct for
> earlier versions of the shadow suite, but I don't remember and I only have
> the newest one installed.  Latest version is at
> ftp://ftp.ists.pwr.wroc.pl/pub/linux/shadow/
> >I was talking to some guy on IRC (st2) and he asked me to mention to
> >bugtraq (because he's not on the list) that the PAMified su that comes
> >with redhat has a slight hole. When you try to su to root (for example) if
> >it's successful, immediately gives you a shell prompt.  Otherwise, it
> >delays a full second, then logs an authentication failure to syslog.  If
> >you hit break in that second, no error, plus you know that the password
> >was bad, so you can brute force root's password.  I wrote a little
> >threaded Perl prog that tested it (with a 0.25 second delay before the
> >break) to attack my own password (with my password in the wordlist) and it
> >seemed to work just fine, even with my own password hundreds of words down
> >in the list, so it seems pretty predictable, as long as the server's under
> >very little load (else you get a delay no matter what, and it screws the
> >whole process by giving false negatives).

---
tani hosokawa
river styx internet

-------------------------------------------------------------------------

Date: Fri, 11 Jun 1999 12:38:02 +0000
From: Javi Polo <javipolo@infomail.lacaixa.es>
To: BUGTRAQ@netspace.org
Subject: Re: vulnerability in su/PAM in redhat

On Wed, 9 Jun 1999, Tani Hosokawa wrote:

> with redhat has a slight hole. When you try to su to root (for example) if
> it's successful, immediately gives you a shell prompt.  Otherwise, it
> delays a full second, then logs an authentication failure to syslog.  If
> you hit break in that second, no error, plus you know that the password
> was bad, so you can brute force root's password.  I wrote a little

Checked ....
Confirmed for su that comes with
sh-utils-1.16-14
and using
pam-0.64-3

Ta luegos ......                Oh my God! They killed Kenny!!!!!!
        Javi Polo ;)
Me puedes encontrar en fido en 2:347/13.4    yo también 3000ya.com
AUTOPISTA NO!!!!!!!!!!! No a l'autopista de llevant