Slashdot Mirror

← Back to Stories (view on slashdot.org)

Root Password Readable in Clear Text with Ubuntu

Posted by ryuzaki0 on Sunday March 12, 2006 @05:34PM from the that's-a-big-oops dept.

BBitmaster writes "An extremely critical bug and security threat was discovered in Ubuntu Breezy Badger 5.10 earlier today by a visitor on the Ubuntu Forums that allows anyone to read the root password simply by opening an installer log file. Apparently the installer fails to clean its log files and leaves them readable to all users. The bug has been fixed, and only affects The 5.10 Breezy Badger release. Ubuntu users, be sure to get the patch right away."

2 of 520 comments (clear)

Min score:

Reason:

Sort:

Security Audit by RunFatBoy.net · 2006-03-12 17:39 · Score: 0, Redundant

A thanks to Teotihacan for finding this. I'm sure that eventually several sysadmins would have failed security audits because of this. -- Jim http://www.runfatboy.net/
[easier] Solution by tpgp · 2006-03-12 20:25 · Score: 0, Redundant

Open a terminal and type:
sudo grep -r <my password> /var/log
(if it returns your password, you're vulnerable)
$ sudo apt-get update $ sudo passwd base-config
(wait)
$ sudo grep -r <my password> /var/log
(if it doesn't return your password, you're no longer vulnerable)

On a side note - this is pretty bad - sure a lot of people are going to say this is local privilige escalation only, but combined with any other exploit, this allows an attacker root access.

This is the reason I use Debian for anything serious....

--
My pics.