Ubuntu-Chicago Found a hole...
freddymartinez9 at gmail.com
Thu Nov 16 01:26:04 GMT 2006
Yea i'd approach the school with the security hole and tell them to fix it
before they find you out you saw the hole. White hat cracking :). I don't
know much about networking though.
On 11/15/06, Eric O'Neal <fyedernoggersnodden at gmail.com> wrote:
> Mmkay, at my University, SSH access to the UNIX servers (With limited
> privilidges, of course) is dolled out freely to all students (I don't think
> it should be, but whatever). All they have to do is log onto a web
> interface, set a shell, and voila.
> A friend and I, for some reason or another, logged on the other night.
> Out of sheer curiosity, I cd'd into the root directory to see what all I had
> read access to. Just about everything, it seems. Being a comp. sci.
> student interested in how things are secured, I view the /etc/passwd file.
> Shaddowed. Good.
> Here's the kicker. My buddy, with the same non-malicious curiosity, typed
> Wham. The encrypted passwords of 9,000 or so users hit his LCD, coming
> stright from the NIS Domain server, core of the University's authentication
> system (The Windows domain copies the NIS domain).
> I downloaded John the Ripper and had some fun with it, finding 30 or so
> blank passwords, among others. However, I have no reason to keep those
> passwords, as I've never been tempted to try and feel "powerful" by holding
> such data. I deleted the encrypted pass's from my hard disk an hour later,
> but the security hole is still there.
> I don't know much about NIS, so I installed a server on my Ubuntu box, and
> cliented my FreeBSD box to test it. When I do "ypcat" from my client here
> at home, it doesn't display the passwords, but a little friendly 'x' instead
> amongst the user data. They seem to be shaddowed off, or something of that
> Like I said, NIS is a black box to me. Is my Ubuntu ypserve really immune
> to getting passwords via ypcat? And, if so, would there be a simple way to
> shaddow off the passwords on a Solaris 7 server, which seems to be what
> they're running?
> This whole situation sounds dangerously similar to the gig Red_Herring got
> himself into a while back at his high school... how'd his hearing go, btw?
> I work programming for one the departments, and my friend works in campus
> IT, so I think we'll be okay if we go talk to the admin about it (I'd like
> to know it's solvable first), though we may have technically violated the
> policy already.
> Cheerio and advice welcome,
> PS: Sry I haven't made it to a meeting. I'm in SW Michigan, remember,
> and so bogged down with classes that I didn't even realize there was a chat
> meeting 'till it was too late...
> My home page: http://www.SigmaX.org
> "ttocs laeno cire oshkosh b'gosh fyedernoggersnodden nicht stein bon
> "Education is what remains after one has forgotten everything he learned
> in school"
> -- Albert Einstein
> Ubuntu-us-chicago mailing list
> Ubuntu-us-chicago at lists.ubuntu.com
Kubuntu. [GNU/]Linux for human beings.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Ubuntu-us-chicago