mailing list archives
Re: smbd remote file creation vulnerability
From: sarnold () wirex com
Date: Wed, 27 Jun 2001 17:12:47 -0700
On Tue, Jun 26, 2001 at 11:08:04AM +0200, Joachim Blaabjerg wrote:
Appending to /etc/passwd has nothing to do with pam.
No, not directly, but if your `su` uses PAM to authenticate users and PAM
reacts to the spaces in the beginning of the passwd file, it surely has
something to do with PAM. To check whether `su` uses PAM or not, try "ldd
`which su`|grep libpam"
The fun thing, of course, is that it doesn't matter about the specifics
of how 'su' reacts when presented with this situation. This just
happened to be a very simple and provocative exploit. The attacked
target doesn't have to be /etc/passwd. This exploit could be re-written
trivially to use other files -- think 'cron', /root/.bash_profile,
/etc/bashrc, /etc/Muttrc, etc. All with at least one, probably more,
lines under control of an attacker.
Regardless of how anyone's 'su' reacts, upgrading samba to a fixed
version is very important.
Re: smbd remote file creation vulnerability Fatal Connect (Jun 25)