OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: David Harris (dharris_at_drh.net)
Date: Tue Jul 23 2002 - 11:36:08 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi,

    I've got a list of a bunch of msec bugs that I'm about to submit to the
    developers. (If an msec developers wants to contact me off-list, I'll be
    happy to provide what I have ASAP.) Here is my report on this one:

    Bug 13

    In /usr/share/msec/libmsec.py in function password_aging(), the code
    that parses the output from the chage command dose not accept negative
    "Maximum" settings. Somehow (I have no idea!) I got a user on my system,
    "bob", that had -1 for the Maximum setting.

    You can see that msec gives an error here and is unable to set the
    password expiration details for that user. When I change the maximum
    setting for that user manually to a non-negative, msec is then able to
    run without error.

    [rootfermi root]# chage -l bob
    Minimum: -1
    Maximum: -1
    Warning: -1
    Inactive: -1
    Last Change: Feb 13, 2002
    Password Expires: Never
    Password Inactive: Never
    Account Expires: Never
    [rootfermi root]#
    [rootfermi root]# grep bob /etc/shadow /etc/passwd
    /etc/shadow:bob:$1$13614916$AAAAAAAAAA.AAAAAAAAAA0:11731::::::
    /etc/passwd:bob:x:506:506:Bob Harris:/home/bob:/bin/sh
    [rootfermi root]#
    [rootfermi root]#
    [rootfermi root]# msec
    msec: unable to parse chage output
    [rootfermi root]# chage -M 99999 bob
    [rootfermi root]#
    [rootfermi root]# chage -l bob
    Minimum: -1
    Maximum: 99999
    Warning: -1
    Inactive: -1
    Last Change: Feb 13, 2002
    Password Expires: Never
    Password Inactive: Never
    Account Expires: Never
    [rootfermi root]# grep bob /etc/shadow /etc/passwd
    /etc/shadow:bob:$1$13614916$AAAAAAAAAA.AAAAAAAAAA0:11731::99999::::
    /etc/passwd:bob:x:506:506:Bob Harris:/home/bob:/bin/sh
    [rootfermi root]#
    [rootfermi root]# msec
    [rootfermi root]#

    Here is an untested patch:

    --- /usr/share/msec/libmsec.py Fri Mar 8 13:41:21 2002
    +++ /usr/share/msec/libmsec.py.fixchange Fri Jul 12 08:06:38 2002
    -543,7 +543,7
             cronallow.replace_line_matching('root', 'root', 1)
             atallow.replace_line_matching('root', 'root', 1)
     
    -maximum_regex = re.compile('^Maximum:\s*([0-9]+)', re.MULTILINE)
    +maximum_regex = re.compile('^Maximum:\s*(-?[0-9]+)', re.MULTILINE)
     inactive_regex = re.compile('^Inactive:\s*(-?[0-9]+)', re.MULTILINE)
     
     # TODO FL Sat Dec 29 20:18:20 2001

    If this fixes your problem, I'd be interested to know. I'll add the info
    to my upcoming bug report(s).

    David Harris
    President, DRH Internet Inc.
    dharrisdrh.net
    http://www.drh.net/

    -----Original Message-----
    From: spam [mailto:spamanti-sekurity.org]
    Sent: Sunday, July 21, 2002 6:36 PM
    To: discussmandrakesecure.net
    Subject: [discuss] Fwd: Mandrake 8.2 MSEC

    Just saw this on the security-audit list, thought maybe it should be
    here:

    ---------- Forwarded Message ----------

    Subject: Mandrake 8.2 MSEC
    Date: 21 Jul 2002 23:58:06 -0000
    From: Dan <silver83gte.net>
    To: security-auditferret.lmh.ox.ac.uk

    Hello guys i'm confused here if anyone could clarfy this for me that
    would
    be great!
    [rootpulserate silveradmin]# msec 1
    msec: unable to parse chage output

    Does anyone know what this means? why does it do this it just started
    this .. i have this on now two systems at work Is it possible that they
    got exploited some how? i keep up on updates any ideas?

    okay i currently administer 2 systesm that have mandrake 8.2(work) and
    1
    8.1 at my house here
    WELL, the two systems i BELIVE but NOT sure that they are/were
    compromised
    I know for a fact that the system at home ISN'T Well something weird
    went
    first. The msec was working fine till one day some guy msged my boss
    online on IRC w/ one of our hostnames either he somehow spoofed it and
    got
    on w/ a Ident which isnt changeable in Mandrake for the usernames i
    didnt
    see anything but then ever since that the system didnt work correctly ..
    well the MSEC didnt got the error up above even if i just run 'msec'
    should just run it but it doesnt gives me that info like what changed
    and
    all the other goodies.. Now just recently another one of our boxes
    started
    to do it which hosts our websites.. now im really worried that something
    got compromised somehow someway i dont know which if anyone has any
    ideas
    please tell me btw i've been running the mandrake systems 8.2 for the
    past
    6 months and mine at home for the past 3 yrs and havent had that
    problem..
    so im not sure what to think as of right now hopefully someone has some
    pointers Thanks ahead of time!

    -------------------------------------------------------

    For help, email discuss-helpmandrakesecure.net; to unsubscribe send a
    message to discuss-unsubscribemandrakesecure.net. To visit
    MandrakeSecure,
    go to http://www.mandrakesecure.net/.