lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041104215726.GA1184@openwall.com>
Date: Fri, 5 Nov 2004 00:57:26 +0300
From: Solar Designer <solar@...nwall.com>
To: Matthias Geerdsen <vorlon@...too.org>
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com,
	security-alerts@...uxsecurity.com
Subject: Re: [ GLSA 200411-09 ] shadow: Unauthorized modification of account information


On Thu, Nov 04, 2004 at 09:22:24PM +0100, Matthias Geerdsen wrote:
>   Severity: Low
>      Title: shadow: Unauthorized modification of account information
[...]
> A flaw in the chfn and chsh utilities might allow modification of
> account properties by unauthorized users.
[...]
> A local attacker may be able to use chfn and chsh to change the
> standard shell of other users or modify their GECOS information (full
> name, phone number...).

While you did correctly categorize this as "low" severity, the above
description is not correct.  It is not possible to use this on other
users' accounts.  Here's the description from Owl change log:

2004/06/09	Package: shadow-utils
SECURITY FIX	Severity: none to low, local, active
Properly check the return value from pam_chauthtok(3) in chfn(1) and
chsh(1).  Previously, if chfn and/or chsh commands would be enabled
for non-privileged users with control(8), it would have been possible
for a logged in user with an expired password to change their "Full
Name" and login shell without having to change the password.  Thanks
to Steve Grubb and Martin Schulze for discovering this problem.

The only bug here is that chfn/chsh did not properly force a change of
an expired password, yet permitted the requested change of GECOS info
or login shell to be performed.  This is hardly worth an advisory.  In
fact, it might not have been worth our change log entry either...

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ