[prev in list] [next in list] [prev in thread] [next in thread] 

List:       best-of-security
Subject:    linux yppasswd bug
From:       Julian Assange <proff () suburbia ! net>
Date:       1995-08-23 15:28:23
[Download RAW message or body]

Hi all,

here's the details on the hole in my yppasswdd. The bug was stupid and
simple; I forgot to check the user-supplied password for colons. This
allows people to submit a password update with a password like this:

:0:0:Big Boss:/:/tmp/foo
This will turn their password entry into something like this:

joe.user::0:0:Big Boss:/:/tmp/foo:Joe Random User:/home/joe:/bin/bash

All they now have to do is to copy their favorite shell to

/tmp/foo:Joe Random User:/home/joe:/bin/bash

Note that all of these are valid filename characters.


While fixing this, I noticed a second oversight, which may not be as bad,
but may cause problems nevertheless: Users were able to set passwords for
NIS entries like +janet or -joe if they were passwordless. Usually,
entries like these should not occur in the NIS server's password file,
and I do not believe they are acutally checked by any program. The
new version checks for them anyway.

Olaf
--
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
             For my PGP public key, finger okir@brewhq.swb.

[prev in list] [next in list] [prev in thread] [next in thread]