COMMAND

    login

SYSTEMS AFFECTED

    Slackware 7.0

PROBLEM

    Stewart  Gebbie  found  following.   Below  he  describes a bug in
    Slackware 7.0.  This is regarding a logic but in the shadow  suite
    that enables a brute force  attack for finding and cracking  login
    in  accounts  via  telnet  (and  possibly  some  other  nasty side
    affects).   The  bug  comes  about  as  a  result of the interplay
    between using md5_crypt and disabling the traditional crypt.

    The bug  occurs when  either an  account is  locked or the account
    does  not  exits.   In  either  case  the  result  is that login.c
    makes a  call to  pw_auth() in  pwauth.c with  the password set to
    "!".  This  in turn calls  _old_auth() in pwauth.c.   This finally
    calls pw_encrypt() in encrypt.c.  Now because the password is  set
    to  "!"  (and  not  "$1$")  the  md5_crypt function is not called.
    Instead the  tradition crypt()  is called.   This has,  as far  as
    seen,  been  disabled  in  the  Slack  7.0 distribution and always
    returns  NULL  and  sets  errno=95.   This  causes pw_encrypt() to
    print out `crypt:   Operation not supported'  and immediatly  call
    exit(1).  Hence, from  logging in one can  see that the user  name
    does not exist  or is locked,  further more the  exit is immediate
    with no sleep before prompting again.

    There is no  confirmation that crypt()  was disabled in  the glibc
    source, but  the test  program Stewart  wrote did  seem to confirm
    this.

SOLUTION

    Nothing yet.