[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Re: [VulnWatch] Sun passwd(1) Command Vulnerability

To: Chris Wysopal <weld@xxxxxxxxxxxxx>
Subject: [Full-Disclosure] Re: [VulnWatch] Sun passwd(1) Command Vulnerability
From: "Jay D. Dyson" <jdyson@xxxxxxxxxxx>
Date: Sat, 6 Mar 2004 10:33:58 -0500

Chris,

The grammar of this alert has left me somewhat curious, and I was wondering if 
you could take a moment to clarify a few quick questions from a fan of the 
l0pht, such as myself.

The vulnerability assessment of this is listed as MEDIUM.  Also, the word may 
is used, instead of will.  So my questions are as follows:

1) Is a bug that yields local root privilages on a widespread commercial Unix 
only a medium risk?

2) Was atstake unable to verify whether or not this exploitable, hence the "may 
be exploitable", instead of "A local unprivileged user can gain unauthorized 
root privileges."

I often find the grammar used in security advisories and briefs to be 
confusing, and I'm forced to wonder if the wording is deliberate.  
Historically, when security companies have made claims that they could not 
verify, they have been dealt with in a very public, and very humilitating 
fashion, so I rather suspect that meticulous care is put in the phrasing 
without making any brash unverified statements, that could cause such 
embarassment to said company.

Knowing you, and having the utmost respect for your views on full disclosure 
and the free exchange of information and ideas, I look forward to your response 
on this matter.

As I stated earlier, I have always been a big fan of The l0pht - and further 
that nc.exe has forever changed my life.

Incidently, to all the children out there reading the mailing lists - listening 
to The Crystal Method is acceptable behavior, but using crystal meth is not.

Chris, I look forward to your speedy reply to this email. 

On Fri, Mar 05, 2004 at 11:21:28AM -0500, Chris Wysopal wrote:
> 
> O-088: Sun passwd(1) Command Vulnerability
> 
> [Sun Alert ID: 57454]
> 
> March 2, 2004 22:00 GMT
> --------------------------------------------------------------------------------
> 
> PROBLEM: The passwd command computes the hash of a password typed at
> run-time or the hash of each password in a list. A vulnerability exists in
> this command.
> 
> PLATFORM: Solaris 8, 9 (SPARC and x86 Platforms)
> 
> DAMAGE:  A local unprivileged user may be able to gain unauthorized root
> privileges due to a security issue involving the passwd(1) command.
> 
> SOLUTION: Install the security patch.
> 
> --------------------------------------------------------------------------------
> 
> VULNERABILITY
> ASSESSMENT: The risk is MEDIUM. A local unprivileged user may be able to
> gain unauthorized root privileges.
> 
> --------------------------------------------------------------------------------
> 
> LINKS:
> 
>   CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-088.shtml
> 
>   ORIGINAL BULLETIN: Sun Alert ID: 57454
> http://www.sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57454&zone_32=category%3Asecurity

-- 
- -Jay

   (    (                                                        _______
   ))   ))   .-"There's always time for a good cup of coffee"-.   >====<--.
 C|~~|C|~~| (>------ Jay D. Dyson -- jdyson@xxxxxxxxxxx ------<) |    = |-'
  `--' `--'  `-------- Si latinam satis simiis doces, --------'  `------'
              `--- quandoque unus aliquid profundum dicet ---'

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: Re: [Full-Disclosure] Norton Antivirus 2002 fails to scan files with .................
Next by Date: Re: [Full-Disclosure] Re: E-Mail viruses
Previous by thread: [Full-Disclosure] [SECURITY] [DSA 456-1] New Linux 2.2.19 packages fix local root exploit (arm)
Next by thread: [Full-Disclosure] Re: [VulnWatch] Sun passwd(1) Command Vulnerability
Index(es):
- Date
- Thread