On Tue, Jun 26, 2001 at 11:08:04AM +0200, Joachim Blaabjerg wrote:
> > Appending to /etc/passwd has nothing to do with pam.
>
> No, not directly, but if your `su` uses PAM to authenticate users and PAM
> reacts to the spaces in the beginning of the passwd file, it surely has
> something to do with PAM. To check whether `su` uses PAM or not, try "ldd
> `which su`|grep libpam"
The fun thing, of course, is that it doesn't matter about the specifics
of how 'su' reacts when presented with this situation. This just
happened to be a very simple and provocative exploit. The attacked
target doesn't have to be /etc/passwd. This exploit could be re-written
trivially to use other files -- think 'cron', /root/.bash_profile,
/etc/bashrc, /etc/Muttrc, etc. All with at least one, probably more,
lines under control of an attacker.
Regardless of how anyone's 'su' reacts, upgrading samba to a fixed
version is very important.
Seth Arnold
