Vigil@nce: GNU Libc, reading hashed NIS passwords
January 2010 by Vigil@nce
When the system uses NIS passwd.adjunct, a local attacker can read
the hash of users’ passwords.
– Severity: 2/4
– Consequences: administrator access/rights, privileged
access/rights, user access/rights, data reading
– Provenance: user shell
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: medium (2/3)
– Creation date: 08/01/2010
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The NIS service stores information about users in several maps:
– passwd: identity, etc.
– shadow: hashed password
– passwd.adjunct : hashed password, if shadow is not used
The getpwnam()/getpwuid() function of the GNU Libc should return
the content of the passwd map (without hashes). The getspnam()
function should return hashes, only when it is called by root.
However, when passwd.adjunct is used, these functions return the
hashed password in all cases. Indeed, the passwd and
passwd.adjunct maps are incorrectly grouped.
When the system uses NIS passwd.adjunct, a local attacker can
therefore read the hash of users’ passwords.
CHARACTERISTICS
– Identifiers: 560333, CVE-2010-0015, VIGILANCE-VUL-9329
– Url: http://vigilance.fr/vulnerability/GNU-Libc-reading-hashed-NIS-passwords-9329