5694156 2000-11-07 08:03 +0100 /31 rader/ Bartlomiej Grzybicki <bgrzybicki@MORLINY.PL>
Sänt av: joel@lysator.liu.se
Importerad: 2000-11-07 19:17 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: bgrzybicki@morliny.pl
Mottagare: Bugtraq (import) <13632>
Ärende: vlock vulnerability in RedHat 7.0
------------------------------------------------------------
From: Bartlomiej Grzybicki <bgrzybicki@MORLINY.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <001f01c04888$f18d3810$d400000a@bart>
I've tried to lock all virtual consoles
in RedHat 7.0 using vlock, which
is delivered with this release of RedHat.
If user root locks all consoles - it's no problem,
but if normal user locks consoles then
anybody can unlock without typing a password.
Try to use it in the following way:
1. logon as an ordinary user on tty1
2. logon as root on tty2
3. Type on tty1 vlock -a
4. All consoles will be locked.
5. When vlock asks for password
press ENTER and don't release the key
until you see message 'broken pipe'.
6. If you see it all two consoles are unlocked.
Regards,
Bartlomiej Grzybicki ############################
MORLINY SA http://www.morliny.pl
bgrzybicki@morliny.pl http://www.bgrzybicki.morliny.pl
mobile: +48 601 279 976 ########################
(5694156) ------------------------------------------
Kommentar i text 5699787 av Trond Eivind Glomsrød <teg@REDHAT.COM>
Kommentar i text 5700073 av Matt Conover <shok@CAMEL.ETHEREAL.NET>
Kommentar i text 5700094 av Jon Lewis <jlewis@LEWIS.ORG>
5699787 2000-11-07 15:04 -0500 /32 rader/ Trond Eivind Glomsrød <teg@REDHAT.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2000-11-08 20:09 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: teg@REDHAT.COM
Mottagare: Bugtraq (import) <13650>
Kommentar till text 5694156 av Bartlomiej Grzybicki <bgrzybicki@MORLINY.PL>
Ärende: Re: vlock vulnerability in RedHat 7.0
------------------------------------------------------------
From: Trond Eivind Glomsrød <teg@REDHAT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <xuyd7g78s6p.fsf@halden.devel.redhat.com>
Bartlomiej Grzybicki <bgrzybicki@morliny.pl> writes:
> I've tried to lock all virtual consoles
> in RedHat 7.0 using vlock, which
> is delivered with this release of RedHat.
>
> If user root locks all consoles - it's no problem,
> but if normal user locks consoles then
> anybody can unlock without typing a password.
>
> Try to use it in the following way:
>
> 1. logon as an ordinary user on tty1
> 2. logon as root on tty2
> 3. Type on tty1 vlock -a
> 4. All consoles will be locked.
> 5. When vlock asks for password
> press ENTER and don't release the key
> until you see message 'broken pipe'.
> 6. If you see it all two consoles are unlocked.
How is your system configured? I can't reproduce this.
--
Trond Eivind Glomsrød
Red Hat, Inc.
(5699787) ------------------------------------------
5700073 2000-11-07 12:37 -0800 /55 rader/ Matt Conover <shok@CAMEL.ETHEREAL.NET>
Sänt av: joel@lysator.liu.se
Importerad: 2000-11-08 21:16 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: shok@CAMEL.ETHEREAL.NET
Mottagare: Bugtraq (import) <13655>
Kommentar till text 5694156 av Bartlomiej Grzybicki <bgrzybicki@MORLINY.PL>
Ärende: Re: vlock vulnerability (solution: w00w00's CAP)
------------------------------------------------------------
From: Matt Conover <shok@CAMEL.ETHEREAL.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.BSF.4.21.0011071218240.83592-100000@camel.ethereal.net>
I didn't verify this vulnerability (I don't have vlock), but w00w00
made a related utility a few years ago called CAP (Console Access
Protection) that does not have this vulnerability (AFAIK).
It was written in conjunction with an article on console IOCTLs
(http://www.w00w00.org/articles.html). CAP is available at
http://www.w00w00.org/files/misc/conutils/CAP.c. It will prevent new
login attempts after three failures for three minutes (or as
defined), so the method you used will not work either. In addition,
once the password is properly entered, it states whether the terminal
had previously been access and the number of failed attempts. The
password to unlock will be the root's password. It will support both
shadowed and non-shadowed if NO_USE_SHADOW is defined.
CTRL-ALT-DEL isn't blocked because it serves little purpose (though
it can be disabled through a sysctl). Other than rebooting, there is
no practical way to get around it. I'm assuming the administrator
will sit there until ioctl() to lock the terminal completes (a few
clock ticks).
Matt
On Tue, 7 Nov 2000, Bartlomiej Grzybicki wrote:
> I've tried to lock all virtual consoles
> in RedHat 7.0 using vlock, which
> is delivered with this release of RedHat.
>
> If user root locks all consoles - it's no problem,
> but if normal user locks consoles then
> anybody can unlock without typing a password.
>
> Try to use it in the following way:
>
> 1. logon as an ordinary user on tty1
> 2. logon as root on tty2
> 3. Type on tty1 vlock -a
> 4. All consoles will be locked.
> 5. When vlock asks for password
> press ENTER and don't release the key
> until you see message 'broken pipe'.
> 6. If you see it all two consoles are unlocked.
>
> Regards,
>
> Bartlomiej Grzybicki ############################
> MORLINY SA http://www.morliny.pl
> bgrzybicki@morliny.pl http://www.bgrzybicki.morliny.pl
> mobile: +48 601 279 976 ########################
>
(5700073) --------------------------------(Ombruten)
5700094 2000-11-08 09:53 -0500 /41 rader/ Jon Lewis <jlewis@LEWIS.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2000-11-08 21:22 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: jlewis@LEWIS.ORG
Mottagare: Bugtraq (import) <13656>
Kommentar till text 5694156 av Bartlomiej Grzybicki <bgrzybicki@MORLINY.PL>
Ärende: Re: vlock vulnerability in RedHat 7.0
------------------------------------------------------------
From: Jon Lewis <jlewis@LEWIS.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.10.10011080948270.1443-100000@redhat1.mmaero.com>
On Tue, 7 Nov 2000, Bartlomiej Grzybicki wrote:
> I've tried to lock all virtual consoles
> in RedHat 7.0 using vlock, which
> is delivered with this release of RedHat.
>
> If user root locks all consoles - it's no problem,
> but if normal user locks consoles then
> anybody can unlock without typing a password.
As long as someone is looking at the code for vlock, here's another
bug. When you use vlock to lock a VC, it prompts you for your
password to unlock. i.e.
This TTY is now locked.
Please enter the password to unlock.
jlewis's Password:
If you hit enter, it prompts you for the root password to unlock.
This TTY is now locked.
Please enter the password to unlock.
jlewis's Password: [pressed enter]
root's Password:
Contrary to the prompt and the man page, the root password will not
unlock this VC. The user's password, entered at either of the
(jlewis|root)'s Password: prompts will unlock the VC. I've tested
this on Red Hat 6.2 and 7.0.
----------------------------------------------------------------------
Jon Lewis *jlewis@lewis.org*| I route
System Administrator | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
(5700094) --------------------------------(Ombruten)
Kommentar i text 5701183 av Luca Berra <bluca@COMEDIA.IT>
5701183 2000-11-08 21:46 +0100 /26 rader/ Luca Berra <bluca@COMEDIA.IT>
Sänt av: joel@lysator.liu.se
Importerad: 2000-11-09 07:39 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: bluca@comedia.it
Mottagare: Bugtraq (import) <13659>
Kommentar till text 5700094 av Jon Lewis <jlewis@LEWIS.ORG>
Ärende: Re: vlock vulnerability in RedHat 7.0
------------------------------------------------------------
From: Luca Berra <bluca@COMEDIA.IT>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20001108214614.D13055@colombina.comedia.it>
On Wed, Nov 08, 2000 at 09:53:24AM -0500, Jon Lewis wrote:
> Contrary to the prompt and the man page, the root password will not unlock
> this VC. The user's password, entered at either of the (jlewis|root)'s
> Password: prompts will unlock the VC. I've tested this on Red Hat 6.2 and
> 7.0.
It's a feature!
This is due to PAM, all this type of programs (xlock is another) are
not setuid, the pam libraries invoke a suid helper /sbin/pwdb_chkpwd
that checks the password only for the user that is invoking it. so
no more root unlocking display. (this is not an issue if root can
remotely login to the machine and kill the lock process)
Regards,
Luca.
--
Luca Berra -- bluca@comedia.it
Communication Media & Services S.r.l.
(5701183) --------------------------------(Ombruten)
5699830 2000-11-08 12:04 +0300 /49 rader/ Vladislav V. Mikhailov <solar@LINKEXPERT.NET>
Sänt av: joel@lysator.liu.se
Importerad: 2000-11-08 20:22 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: solar@LINKEXPERT.NET
Mottagare: Bugtraq (import) <13651>
Ärende: Re: vlock vulnerability in RedHat 7.0
------------------------------------------------------------
From: "Vladislav V. Mikhailov" <solar@LINKEXPERT.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <004101c04962$e2fe1960$0b01a8c0@solar.linkexpert.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
That does not work on RH6.x. with vlock version 1.3
Best regards,
Vladislav V. Mikhailov
>I've tried to lock all virtual consoles
>in RedHat 7.0 using vlock, which
>is delivered with this release of RedHat.
>
>If user root locks all consoles - it's no problem,
>but if normal user locks consoles then
>anybody can unlock without typing a password.
>
>Try to use it in the following way:
>
>1. logon as an ordinary user on tty1
>2. logon as root on tty2
>3. Type on tty1 vlock -a
>4. All consoles will be locked.
>5. When vlock asks for password
>press ENTER and don't release the key
>until you see message 'broken pipe'.
>6. If you see it all two consoles are unlocked.
>
>Regards,
>
>Bartlomiej Grzybicki ############################
>MORLINY SA http://www.morliny.pl
>bgrzybicki@morliny.pl http://www.bgrzybicki.morliny.pl
>mobile: +48 601 279 976 ########################
>
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBOgjs5lqnq79lp5QUEQINcQCffQ2cmn+dYtY7e1r5mcuDjrYo8F4AnAm6
V55QUGvBRkq3Qr14RXoIPT77
=SUif
-----END PGP SIGNATURE-----
(5699830) ------------------------------------------