OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: RedHat 6.1 /and others/ PAM
From: Keith Warno (keithHAGGLEWARE.COM)
Date: Wed Feb 02 2000 - 14:30:19 CST

For the curious, on SuSE 6.2 (PAM 0.68):

keithdevelop[pts/11]:~/work/dev$ echo ls ~archive | su archive
Password:
Mailbox backups linux public_html scripts tmp
keithdevelop[pts/11]:~/work/dev$ echo ls ~archive | su archive
Password:
su: incorrect password
keithdevelop[pts/11]:~/work/dev$

Always asks for password regardless of pipe. Anything passed to su via pipe
is used as if it's an arg to -c option.

----- Original Message -----
From: "Markus Dobel" <mRKUS.DOBEL.DE>
To: <BUGTRAQSECURITYFOCUS.COM>
Sent: 01 February 2000, Tuesday 14:24
Subject: Re: RedHat 6.1 /and others/ PAM

| Simple Nomad wrote:
| >
| > Trying to "echo PASSWORD | su ACCOUNT" will elicit a response of
| > "standard in must be a tty..." therefore the sploit would stop on the
| > first word in the list as if it was the correct password. Therefore I
fail
| > to see the exact sploit here. I tried this on a stock RH 6.1 machine.
|
| this happens on a redhat 5.2:
|
| [markusbalu markus]$ echo wrongpass | su -
| Password: su: incorrect password
| [markusbalu markus]$ echo rootpass | su -
| Password: stdin: is not a tty
|
| so there is a noticeable difference between the right password and the
| wrong ones.
|
| this is what redhat 6.1 tells me:
|
| [mdserv md]$ echo wrongpass | su -
| standard in must be a tty
| [mdserv md]$ echo rightpass | su -
| standard in must be a tty
|
| seems like they fixed it.
|
| regards, markus
|