lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: marukka at mac.com (Matt Burnett)
Subject: Vulnerability in Terminal.app

In order for someone to exploit this they wouldn?t they need physical
access? And if they had physical access they could simple just boot into
single user mode (enabled by default), or off a cd (enabled by default), or
simply steal the machine.

On 11/19/03 12:27 PM, "hays@...blio.org" <hays@...blio.org> wrote:

> 
> 
> --On Wednesday, November 19, 2003 12:00 PM -0500
> full-disclosure-request@...ts.netsys.com wrote:
> 
>>> There is a work-around for this vulnerability of course - actually
>>> several.
>>> 
>>> 1. Never use sudo (not particularly practical).
>>> 
>>> 2. Never put your box to sleep after a sudo unless at least 5 minutes
>>> (or whatever your interval is set to) have passed.
>>> 
>>> 3. Issue either the 'sudo -k' command or the 'sudo -K' command before
>>> putting your box to sleep - make it a habit no matter if you remember
>>> issuing an ordinary sudo recently or not - 'just in case'.
>> 
>> 4. Change your sudo settings to require a password each time you use it:
>> 
>>     timestamp_timeout
>>                 Number of minutes that can elapse before sudo will ask for
>>                 a passwd again.  The default is 5.  Set this to 0 to
>> always                 prompt for a password.  If set to a value less
>> than 0 the                 user's timestamp will never expire.  This can
>> be used to                 allow users to create or delete their own
>> timestamps via                 sudo -v and sudo -k respectively.
> 
> 5. Require password on wake from sleep (which seems like an all around good
> idea anyway)?
> 
> Also replicated on my 10.3 powerbook, fwiw.
> 
> --
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists