topic Re: Root user password causing security hole... in Operating System - HP-UX

Root user password causing security hole...

Daniel Yap — Wed, 21 Feb 2001 22:16:30 GMT

If anyone has seen this, please help...
I stumbled across a problem where the root password is set, yet when ANY user 'su' and enter a blank password they are granted entry as 'root'. The password set for root is not blank, yet somehow the blank entry is also accepted. Any clues on where to start looking?
Thanks in advance. This even happens upon login, rlogin, and telnet as 'root'.

Re: Root user password causing security hole...

Andy Monks — Wed, 21 Feb 2001 22:19:53 GMT

Are you using NIS? and if so, is it setup correctly.

Re: Root user password causing security hole...

Daniel Yap — Wed, 21 Feb 2001 22:37:07 GMT

Yes, I believe we are.

Re: Root user password causing security hole...

Andy Monks — Wed, 21 Feb 2001 22:45:18 GMT

if 'ypbind' is running you are!

So, if so check your local /etc/passwd file. It will have a line that begins with a "+". It should be after the 'local only users'. So, after all the system users is a minimum.

Re: Root user password causing security hole...

Daniel Yap — Wed, 21 Feb 2001 23:01:13 GMT

Andy,
'ypbind' is not running, and there is no '+' entry in the /etc/passwd file. I guess we are NOT running NIS. Sorry. Any other ideas?

Re: Root user password causing security hole...

Sam Nicholls — Wed, 21 Feb 2001 23:07:37 GMT

What command are you using to set the root password?

What does the /etc/passwd entry for root look like?

-sam

Re: Root user password causing security hole...

Dan Hetzel — Thu, 22 Feb 2001 06:09:00 GMT

Hi Daniel,

If you're NOT using NIS, remove the line starting with 'passwd:' in the file /etc/nsswitch.conf

Regards,

Dan

Re: Root user password causing security hole...

Daniel Yap — Thu, 22 Feb 2001 14:37:34 GMT

The entry for 'root' in the /etc/passwd file is as follows:
root:vIoK1y0bdoV5E:0:3::/:/sbin/sh

There is no 'nsswitch.conf' in /etc. There are only example files which could be copied to /etc/nsswitch.conf.

Am I simply overlooking something?

Re: Root user password causing security hole...

Shannon Petry — Thu, 22 Feb 2001 14:46:31 GMT

You may be missing something.
Q: Is this on ALL clients that people can su with no passwd?
Q: If you are using NIS, where is the "+::0:0:::" in /etc/passwd? It should be the LAST line!

Q: Do any of the local or NIS users have a UID of 0? This is the most critical! I have seen many backdoors made by people assigning a UID of 0 to an ID. This UID means the user is really root already, so a su is only beneficial for the accounting system.

Make sure that No user is assigned UID=0, GID=0!. Make sure permissions on /etc/passwd and /etc/group are 444. Make permissions on "/" 555, chown root "/" chgrp root "/".

Regards,
Shannon

Re: Root user password causing security hole...

Andy Monks — Thu, 22 Feb 2001 17:20:55 GMT

Daniel,

a few things that may be worth checking :-

1. the 'root' user is the first entry in the passwd file.
2. the 'root' user is only in the passwd file once.
3. no other user had a uid of '0'.
awk -F: '{ print $3 " " $1 }' /etc/passwd | sort -n | more

Andy

Re: Root user password causing security hole...

Daniel Yap — Fri, 23 Feb 2001 15:08:33 GMT

Sorry it took me a while to get back with you. I verified all that you guys have suggested and we are not using NIS and 'root' is the first entry in /etc/passwd and is the only user w/ UID 0 and no other user is in the 'root' group. I am at a loss as to where else to look. Any other help or suggestions would be greatly appreciated. Thanks again guys.

Re: Root user password causing security hole...

Andy Monks — Fri, 23 Feb 2001 16:54:42 GMT

Hmmm, this is strange.

I do have something to try, but don't do it with users on the system.

Firstly, take a copy of the existing /etc/passwd file and put it somewhere safe.

The copy the passwd file in /usr/newconfig/etc to /etc (over-writing the existing one).

Then add a new user (using sam or useradd) and also assign root a new password. Then try your test again.

This should at least prove if it's the passwd file or something else.

After you've finished the test, copy the old passwd file back.

Re: Root user password causing security hole...

dw_3 — Fri, 23 Feb 2001 20:53:38 GMT

...from an audit/security background: either your system has been significantly compromised (hacked) or you are familiar with the concepts of "social engineering"

Re: Root user password causing security hole...

Daniel Yap — Mon, 26 Feb 2001 20:21:41 GMT

Andy, I tried your test with replacing the /etc/passwd file. It still allowed me to enter without a password for root. I have placed a call into HP Support, but if you still have any other ideas, let me know. Thanks for all your help.

Re: Root user password causing security hole...

Patrick Wallek — Mon, 26 Feb 2001 20:37:01 GMT

Check what version of su you are using. There could be a problem there.

Here is su on my 10.20 system:

# ll /usr/bin/su
-r-sr-xr-x 1 root bin 20480 Feb 20 1998 /usr/bin/su
[scrooge:root] 1241 /
# file /usr/bin/su
/usr/bin/su: s800 shared executable dynamically linked
[scrooge:root] 1242 /
# what /usr/bin/su
/usr/bin/su:
$Revision: 80.1.1.1 $
PATCH_10_20: su.o 98/02/20

Here is su on my 11.0 system:

[uran:root] 223 /tmp/pww
# ll /usr/bin/su
-r-sr-xr-x 1 root bin 24576 Aug 6 1998 /usr/bin/su
[uran:root] 224 /tmp/pww
# file /usr/bin/su
/usr/bin/su: PA-RISC1.1 shared executable dynamically linked
[uran:root] 225 /tmp/pww
# what /usr/bin/su
/usr/bin/su:
$Revision: 82.15.1.1 $
PATCH_11_00: su.o 98/08/06

Re: Root user password causing security hole...

Patrick Wallek — Mon, 26 Feb 2001 20:39:11 GMT

You might also search your system for other versions of su. There could be a rogue version out there that is getting used instead of the su in /usr/bin. You could do a 'which su' to see which one you are using by default.

Re: Root user password causing security hole...

Bill Hassell — Tue, 27 Feb 2001 02:55:35 GMT

which su is not going to catch aliases or functions. The preferred method to determine where a command originates is:

whence -v su

Because sysadmins so commonly type su, hackers will hide a false su in your $PATH, aliases or function libraries. which will not find these aliases. Try this:

alias su=aBADcommand
which su
whence -v su

which will not tell what the shell is going to do with su.

Re: Root user password causing security hole...

Andy Monks — Tue, 27 Feb 2001 20:48:57 GMT

As a followup to Bill's response, try running /usr/bin/su and see what happens.