COMMAND

    protected password database

SYSTEMS AFFECTED

    Digital Unix 4X

PROBLEM

    James Clement found following.  Due to the recent outpouring of DU
    buffer overflows  the following  might be  of interest.   With the
    Enhanced Security package  running, authentication info  is stored
    in  individual  files  according   to  username.   In  this   case
    /tcb/files/auth/r/root for root and so on.  Being not aware of any
    built in method for creating the equivalent of your everyday  unix
    /etc/shadow file as a result  it is probable that many  DU systems
    have not weeded out poor choices for passwords through the use  of
    a program such as Crack since each encrypt is stored in a separate
    file.   Though  trivial  once  root  is  compromised,  a  would be
    attacker might have  an easy time  obtaining passwords because  of
    this  "feature".   The  program  below  outputs a crackable shadow
    file.

    /*
       Digital Unix 4.x get encrypts from protected password database(s).
       Must be euid(0), compile with cc dushad.c -lsecurity -o dushad
       Written by James Clement - clem7508@fredonia.edu
    */

    #include <sys/types.h>
    #include <sys/security.h>
    #include <prot.h>

    struct pr_passwd *getprpwent(void);

    void main(){
      struct pr_passwd *p;

      set_auth_parameters();

      while (p = getprpwent())
      {
       printf("%s:%s:%d:::\n", p->ufld.fd_name, p->ufld.fd_encrypt, p->ufld.fd_uid);
      }
    }

    The one thing that a lot of people miss with Digital UNIX is  that
    when you use Enhanced Security in conjunction with NIS, the entire
    "protected"  password  subsystem  is  available  as  the  NIS  map
    prpasswd.  This contains, amongst other things, the password  hash
    value.   The one  thing that  CAN cause  problems is  that Digital
    UNIX can  use nonstandard  hash algorithms  (bigcrypt(), crypt16()
    and C1crypt()) as well as  the normal crypt(). Not only  does this
    make coding slightly complicated (as  you have to get the  correct
    hash algorithm, but when a password is created within an  Enhanced
    Security  environment  that  is  over  eight characters in length,
    another password round  is created AFTER  the original to  contain
    the rest of  the password.   This doesn't make  things impossible,
    just difficult - Digital kindly  provide a set of system  calls to
    do most of this for you.

SOLUTION

    Well, keep up your system and no reason to be scared.