Ubuntu-Chicago Found a hole...

RJ Marsan rjmarsan at gmail.com
Thu Nov 16 01:42:57 GMT 2006


hehe was just about to say that sounds awefully familiar.... i would suppose
its fixable, and probably as simple as disabling the ypcat command.  But as
for my case, im currently attending the Ombudsman Education School for
highschool dropouts until the end of the year.... its not fun one bit.

so hope nothin like that happens to you, just make sure you dont get carried
away.

On 11/15/06, Eric O'Neal <fyedernoggersnodden at gmail.com> wrote:
>
> Mmkay, at my University, SSH access to the UNIX servers (With limited
> privilidges, of course) is dolled out freely to all students (I don't think
> it should be, but whatever).  All they have to do is log onto a web
> interface, set a shell, and voila.
>
> A friend and I, for some reason or another, logged on the other night.
> Out of sheer curiosity, I cd'd into the root directory to see what all I had
> read access to.  Just about everything, it seems.  Being a comp. sci.
> student interested in how things are secured, I view the /etc/passwd file.
> Shaddowed.  Good.
>
> Here's the kicker.  My buddy, with the same non-malicious curiosity, typed
> "ypcat".
>
> Wham.  The encrypted passwords of 9,000 or so users hit his LCD, coming
> stright from the NIS Domain server, core of the University's authentication
> system (The Windows domain copies the NIS domain).
>
> !!?!
>
> I downloaded John the Ripper and had some fun with it, finding 30 or so
> blank passwords, among others.  However, I have no reason to keep those
> passwords, as I've never been tempted to try and feel "powerful" by holding
> such data.  I deleted the encrypted pass's from my hard disk an hour later,
> but the security hole is still there.
>
> I don't know much about NIS, so I installed a server on my Ubuntu box, and
> cliented my FreeBSD box to test it.  When I do "ypcat" from my client here
> at home, it doesn't display the passwords, but a little friendly 'x' instead
> amongst the user data.  They seem to be shaddowed off, or something of that
> sort.
>
> Like I said, NIS is a black box to me.  Is my Ubuntu ypserve really immune
> to getting passwords via ypcat?  And, if so, would there be a simple way to
> shaddow off the passwords on a Solaris 7 server, which seems to be what
> they're running?
>
> This whole situation sounds dangerously similar to the gig Red_Herring got
> himself into a while back at his high school... how'd his hearing go, btw?
> I work programming for one the departments, and my friend works in campus
> IT, so I think we'll be okay if we go talk to the admin about it (I'd like
> to know it's solvable first), though we may have technically violated the
> policy already.
>
> Cheerio and advice welcome,
> SigmaX
>
> PS:  Sry I haven't made it to a meeting.  I'm in SW Michigan, remember,
> and so bogged down with classes that I didn't even realize there was a chat
> meeting 'till it was too late...
>
>
>
> --
> My home page:  http://www.SigmaX.org
>
> "ttocs laeno cire oshkosh b'gosh fyedernoggersnodden nicht stein bon
> probiscus"
>
> "Education is what remains after one has forgotten everything he learned
> in school"
>               -- Albert Einstein
> --
> Ubuntu-us-chicago mailing list
> Ubuntu-us-chicago at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-chicago
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/ubuntu-us-chicago/attachments/20061115/c6eca66c/attachment.htm 


More information about the Ubuntu-us-chicago mailing list