[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: KDE Screensaver vulnerability
From:       Henrik Nordstrom <hno () HEM ! PASSAGEN ! SE>
Date:       1998-11-19 0:22:22
[Download RAW message or body]

Jason Axley wrote:
>
> So, it sounds like now malicious users who can't read /etc/shadow in
> order to grab encoded passwords to crack them can just do brute-force
> password guessing without any lockout or auditing by simply piping
> password guesses to the setuid kcheckpass program which will happily
> check them against the shadow entries for correctness.

If I understands it correctly they can only brute-force their own
password... But if kcheckpass can be used to check any users password
then I agree that this is a security risk.

> Or maybe it would give up pieces of /etc/shadow from memory if
> you could get it to coredump...

Only if your run it on a system which allows coredumps for a suid/sgid
program, which I think every one has agreed is a security risk in its
own.

And I also agree that kcheckpass should delay if the password is
incorrect. This is to slow down any attempts to manually bruteforce a
screen saver or any thing else relying on kcheckpass. It won't give any
added security to the kcheckpass program, but to every program that uses
it.

---
Henrik Nordstrom

[prev in list] [next in list] [prev in thread] [next in thread]