From owner-freebsd-security Thu Jan 3 20:19: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx3.port.ru (mx3.port.ru [194.67.57.13]) by hub.freebsd.org (Postfix) with ESMTP id 4D00437B417 for ; Thu, 3 Jan 2002 20:18:57 -0800 (PST) Received: from f8.int ([10.0.0.76] helo=f8.mail.ru) by mx3.port.ru with smtp (Exim 3.14 #1) id 16MLol-000GPA-00 for freebsd-security@freebsd.org; Fri, 04 Jan 2002 07:18:55 +0300 Received: from mail by f8.mail.ru with local (Exim 3.14 #1) id 16MLol-000FEJ-00 for freebsd-security@FreeBSD.ORG; Fri, 04 Jan 2002 07:18:55 +0300 Received: from [212.57.145.74] by win.mail.ru with HTTP; Fri, 04 Jan 2002 07:18:55 +0300 From: "Дмитрий Подкорытов" To: freebsd-security@FreeBSD.ORG Cc: Subject: nologin hole? Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: [212.57.145.74] Date: Fri, 04 Jan 2002 07:18:55 +0300 Reply-To: "Дмитрий Подкорытов" Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Maybe this result my paranoya. ;-) And maybe not. Very posible You can extract use from this. In Free BSD I'am found, that user with disabled terminal entering has login shell named 'nologin'. This is sh script: ==================================================== #!/bin/sh -p # ... # ... echo 'This account is currently not available.' exit 1 ==================================================== My mind about this: 1. In case of breaking this script user has root access to system. (See man sh, key -p ) 2. Password maybe 'viewed' any network analyser in time of users pop3 session with server.(As rule password crypting not use in POP3) 3. Also password maybe hacked bruteforce attack on POP3 daemon. For sucsessful attack on this manner You can append some code to You telnet/ssh for manage connection speed on fly.Or try use tcpwrapper for this. Setup connection speed = 1 boud. Begin telnet/ssh session .Specify user name and password,break nologin. After succsess setup connection speed as You whishes and work under root permission. Solution for protect from this attack:install this programm. For install just make install. You may use this in silence mode. Then compile with -DSILENCE_MODE key. Program distributed on GPL as is. Without any guarantees. At URL: http://org.zaural.ru You can find some usefull programs. My best wishes. Dmitry Podkorytov. E-mail:podkorytov@mail.ru PS:on FreeBSD v.4.1 ps -x not viewed programms, thats running code function Exit(), called from atexit(Exit). It Bug ? I used top command for view PID NoLogin. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message