[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Macsec] world readable password hashes

Subject: Re: [Macsec] world readable password hashes
From: Marukka <email@hidden>
Date: Fri, 15 Jun 2001 19:54:15 -0500
User-agent: Microsoft-Entourage/9.0.2509

This is actually a old problem that not everyone decided to fix. It uses
repeated calls to getpwent() (from pwd.h) to obtain all the information.
Since it is old it was not reported to any bugtraq like mailing lists other
than MOSX specific lists. I did inform apple about it once they opened up
their security site but its been about a month and they havent replied. Im
really disapointed that they took no intrest at all in a security flaw like
this. I did test this on a AIX (4.2 I think) box and it worked. If you want
more information on getpwent go pull up its man page.

On 6/15/01 10:58 AM, "Loukas" <email@hidden> wrote:

> I've looked at your "OSXploit", and i'd be very interested to see your
> source code. I hope you have reported this "bug in the BSD shadowing
> subsystem" to the appropriate people (ie. vuln-dev, bugtraq, whoever
> wrote the password shadowing suite for SVR4, *BSD security mailing lists...).
>
> However, if this is MacOSX/Darwin specific, then i doubt that it is a
> problem in the actual BSD implementation of shadowed passwords.
>
> Because i could not view your source code, i have written my own "OSXploit":

Follow-Ups:
- Re: [Macsec] world readable password hashes
  - From: Loukas <email@hidden>

Prev by Date: Device File convenience methods
Next by Date: Re: [Macsec] world readable password hashes
Previous by thread: Re: Device File convenience methods
Next by thread: Re: [Macsec] world readable password hashes
Index(es):
- Date
- Thread

Home