![[LWN Logo]](/images/lwn.banner.gif)
Date: Thu, 2 Dec 1999 17:30:46 +0200 From: Stewart Gebbie <stewart@GLOBAL.CO.ZA> Subject: Slackware 7.0 - login bug To: BUGTRAQ@SECURITYFOCUS.COM Hi, Below I describe a bug in Slackware 7.0. I did notify support@slackware.com about a week ago and thought that it was about time to send the bug report to bugtraq. This is regarding a logic but in the shadow suite that enables a brute force attack for finding and cracking login in accounts via telnet (and possibly some other nasty side affects). The bug comes about as a result of the interplay between using md5_crypt and disabling the traditional crypt. The bug occurs when either an account is locked or the account does not exits. In either case the result is that login.c makes a call to pw_auth() in pwauth.c with the password set to "!". This in turn calls _old_auth() in pwauth.c. This finally calls pw_encrypt() in encrypt.c. Now because the password is set to "!" (and not "$1$") the md5_crypt function is not called. Instead the tradition crypt() is called. This has, as far as I can see, been disabled in the Slack 7.0 distribution and always returns NULL and sets errno=95. This causes pw_encrypt() to print out `crypt: Operation not supported' and immediatly call exit(1). Hence, from logging in one can see that the user name does not exist or is locked, further more the exit is immediate with no sleep before prompting again. I did not confirm that crypt() was disabled in the glibc source (simply because it meant downloading all of the glibc source). But the test program I wrote did seem to confirm this. Thanks Stewart