Re: Question about a potential security issue

From: phn@icke-reklam.ipsec.nu
Date: 09/18/02 

From: phn@icke-reklam.ipsec.nu
Date: 18 Sep 2002 17:01:39 GMT

Arduin <Arduin58@netscape.net> wrote:
> I have a security question of a somewhat general nature. Suppose a certain
> product produces a file as a result of an error state. The file is owned by
> root, and has UNIX permissions 600. Anybody with root privileges on the box
> can perform a 'strings' on that file and locate the root password in clear
> text. So would that be considered a security violation? If so, is it an
> issue that should be addressed, or is it something that is not serious
> enough for the vendor to fix?

> My thinking is that the box needs to have already been compromised in order
> to view the file. However once the file is scanned, the actual root password
> can now be obtained. Possessing the root password makes it easier for a
> hacker to hide their tracks, and it also may make it trivial to break into
> systems administered by the same SysAdmin. (Assuming they were negligent
> enough to use the same password on multiple systems.)

If a software leaves files behind with an attractive contents it's an
easy target for an intruder.

The problem of gettin root's password has been reduced considerably, one
only has to find a way to subvert a root-owned program to give you
a copy of that file and you "have it". Many unix systems has flaws where
this can be done much easier then "breaking root".

You also have the problem of backupmedia, where anyone may read and examine
things, cleartext passwords won't be good to store there.

Yes, i think this vendor should seriously consider tighten this bug.

> Thank you. 

-- 
Peter Håkanson         
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out,
	   remove "icke-reklam" if you feel for mailing me. Thanx.

Relevant Pages
Loading