Re: Root login

To: debian-security@lists.debian.org
Subject: Re: Root login
From: François Cerbelle <francois@cerbelle.net>
Date: Sat, 13 Sep 2008 10:20:35 +0200 (CEST)
Message-id: <[🔎] 23086.83.206.128.14.1221294035.squirrel@webmail.cerbelle.net>
In-reply-to: <[🔎] slrngcmae3.5b9.keeling@phreaque.nucleus.com>
References: <[🔎] 48BF9844.3040001@vodafone.it> <[🔎] 200809041325.13553.krzywicki.pawel@gmail.com> <[🔎] 20080904144754.35fb0014@halmanfloyd.lan.local> <[🔎] 48C50641.9070503@gryzor.com> <[🔎] slrngcmae3.5b9.keeling@phreaque.nucleus.com>

Le Sam 13 septembre 2008 04:47, s. keeling a écrit :
[...]
>>  Try to login on any Lenny box console with an invalid account.
>>  You will get "Incorrect login" without being prompted for a
>>  password at all.
> What?  And you get a shell prompt?!?
>

Even if you do not have a shell, you do have an important information :
the login you tried does not exist. So, you can do a first rapid scan
based on dictionnary to find the existing users on the server. Then, you
can focus your attack on these accounts.

If the system would ask a password, even if the account does not exist,
you can not know if the account exist or not. The security probleme is
here, if I good understood the previous message.

As I use Etch, I was not able to test it on lenny and I did not test it on
Etch.


Fanfan
-- 
http://www.cerbelle.net - http://www.afdm-idf.org

Reply to:

Follow-Ups:
- Re: Root login
  - From: "Roger Bumgarner" <roger.bumgarner@gmail.com>

References:
- Root login
  - From: "kishore@vodafone.it" <kishore@vodafone.it>
- Re: Root login
  - From: Paweł Krzywicki <krzywicki.pawel@googlemail.com>
- Re: Root login
  - From: Marek Kubica <marek@xivilization.net>
- Re: Root login
  - From: Vincent Deffontaines <vincent@gryzor.com>
- Re: Root login
  - From: "s. keeling" <keeling@nucleus.com>

Prev by Date: Re: Root login
Next by Date: Re: Root login
Previous by thread: Re: Root login
Next by thread: Re: Root login
Index(es):
- Date
- Thread