lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0402111445110.29369-100000@debian>
Date: Wed, 11 Feb 2004 15:28:18 -0600 (CST)
From: alex medvedev <alexm@...ckue.org>
To: bugtraq@...urityfocus.com
Subject: Re: AIX password enumeration possible


Hallo,

I think the privilege escalation risk here is not higher than
remote password brut forcing.

One only gets msg 3004-306 when she supplied the password correctly.
This unique response does not "allow an attacker to determine
the password" but simply states that the password was correct.

Assuming an account is not remote login disabled:
Don't you get a shell prompt when the correct passwd has been entered?
Same here: user enters right passwd --> she gets the right message.

Also, by the time you pick the passwd the AIX admin will have got you
for filling up his root filesystem as each unsuccessful attempt adds
about 650 bytes to /etc/security/failedlogin.
Default AIX rootfs is 2 PP, which is usually 2x16=32 MB, i.e. it won't be
long.

Or should I stop smoking crack?

-alexm
14:45 11/02/2004

On 6 Feb 2004, Scott J wrote:

>
>
> This advisory first submitted to BugTraq July 2003 - rejected but since a less detailed post on this subject made it to the list as a reply and there have been subsequent inquiries regarding it off-list, there may be interest in placing this on the list now.
> Email exchanges with BugTraq personnel (in July of last year) were the source of info that indicated Solaris may suffer from the same issue.
> Currently, BPR personnel can neither confirm or deny this behaviour exists in any OS other than AIX of versions mentioned below.
>
> ---------------- BinaryPowered Research advisory 2003-01 -----------------
> This advisory may be reproduced and redistributed in any manner.
> BPR and the author(s) of this advisory assume no liability for any misuse
> of information contained in this advisory.  Neither BPR nor the author(s) are in any
> way liable for any damages caused by or believed to arise from
> this advisory.
> ---------------- BinaryPowered Research advisory 2003-01 -----------------
>
> Abstract:           Remote password enumeration possible for
>                     accounts not permitted direct login in AIX
> Affected Systems:   AIX 4.3.3 and AIX 5.1, likely other levels of AIX
> Vendor:             International Business Machines Corporation (IBM)
> Severity:           Low
> Result:             Privilege escalation possible in some circumstances
> Vendor Notified:    YES
> Vendor Response:    Within one day
> Patch Issued:       None available.
> Release date:       2003-07-17
> Rereleased:         2004-02-06
>
> --------------------------------------------------------------------------
>
> Discussion:
>
> During some configuration change and testing of AIX for a client, BPR discovered that it is possible to remotely enumerate the passwords of a known AIX account.  The only configuration change required to allow this to happen in AIX is to disable remote logins for a given account (via the command "chuser rlogin=false a_userid").  If a remote attacker tries to connect to the vulnerable machine with an incorrect password  (but a known correct account name), the response from AIX will be:
> "3004-007 You entered an invalid login name or password."
> In the case that the correct password is provided, the response is as follows:
> "3004-306 Remote logins are not allowed for this account."
> This different, unique response allows an attacker to determine the password of the account in question.

<deleted...>





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ