Pyramid's OSx version of Unix (a dual-universe Unix supporting both 4.xBSD and System V) [1] had a bug in the "passwd" program, such that if somebody edited /etc/passwd with a text editor and introduced a blank line (say at the end of the file, or anywhere), the next person who changed their password with the setuid root passwd program would cause the blank line to be replaced by "::0:0:::" (empty user name, empty password, uid 0, gid 0), which then let you get a root shell with 'su ""', and log in as root by pressing the return key to the Login: prompt. (Well it wasn't quite that simple. The email explains.)
Here's the email in which I reported it to the staff mailing list.
Date: Tue, 30 Sep 86 03:53:12 EDT
From: Don Hopkins <don@brillig.umd.edu>
Message-Id: <8609300753.AA22574@brillig.umd.edu>
To: chris@mimsy.umd.edu, staff@mimsy.umd.edu,
Pete "Gymble Roulette" Cottrell <pete@mimsy.umd.edu>
In-Reply-To: Chris Torek's message of Mon, 29 Sep 86 22:57:57 EDT
Subject: stranger and stranger and stranger and stranger and stranger
Date: Mon, 29 Sep 86 22:57:57 EDT
From: Chris Torek <chris@mimsy.umd.edu>
Gymble has been `upgraded'.
Pyramid's new login program requires that every account have a
password.
The remote login system works by having special, password-less
accounts.
Fun.
Pyramid's has obviously put a WHOLE lot of thought into their nifty
security measures in the new release.
Is it only half installed, or what? I can't find much in the way of
sources. /usr/src (on the ucb side of the universe at lease) is quite
sparse.
On gymble, if there is a stray newline at the end of /etc/passwd, the
next time passwd is run, a nasty little "::0:0:::" entry gets added on
that line! [Ye Olde Standard Unix "passwd" Bug That MUST Have Been Put
There On Purpose.] So I tacked a newline onto the end with vipw to see
how much fun I could have with this....
One effect is that I got a root shell by typing:
% su ""
But that's not nearly as bad as the effect of typing:
% rlogin gymble -l ""
All I typed after that was <cr>:
you don't hasword: New passhoose one new
word: <cr>
se a lonNew passger password.
word: <cr>
se a lonNew password:ger password.
<cr>
Please use a longer password.
Password: <cr>
Retype new password: <cr>
Connection closed
Yes, it was quite garbled for me, too: you're not seeing things, or on
ttyh4. I tried it several times, and it was still garbled. But I'm not
EVEN going to complain about it being garbled, though, for three
reasons: 1) It's the effect of a brand new Pyramid "feature", and
being used to their software releases, it seems only trivial cosmetic,
comparitivly. 2) I want to be able to get to sleep tonight, so I'm
just going to pretend it didn't happen. 3) There are PLEANTY of things
to complain about that are much much much worse. [My guess, though,
would be that something is writing to /dev/tty one way, and something
else isn't.] Except for this sentence, I will also completely ignore
the fact that it closed the connection after setting the password, in
a generous fit of compassion for overworked programmers with
ridiculous deadlines.
So then there was an entry in /etc/passwd where the ::0:0::: had been:
:7h37OHz9Ww/oY:0:0:::
i.e., it let me insist upon a password it thought was too short by
repeating it. (A somewhat undocumented feature of the passwd program.)
("That's not a bug, it's a feature!")
Then instead of recognizing an empty string as meaning no password,
and clearing out the field like it should, it encrypted the null
string and stuck it there. PRETTY CHEEZY, PYRAMID!!!! That means
grepping for entries in /etc/passwd that have null strings in the
password field will NOT necessarily find all accounts with no
password.
So just because I was enjoying myself so much, I once again did:
% rlogin gymble -l ""
Password: <cr>
[ message of the day et all ]
#
Wham, bam, thank you man! Instead of letting me in without prompting
for a password [like it should, according to everyone but pyramid], or
not allowing a null password and insisting I change it [like it
shouldn't, according to everyone but pyramid], it asked for a
password. I hit return, and sure enough the encrypted null string
matched what was in the passwd entry. It was quite difficult to resist
the temptation of deleting everyone's files and trashing the root
partition.
-Don
P.S.: First one to forward this to Pyramid is a turd.
P.P.S.: The origin story of Pete's "Gymble Roulette" nick-name is here: http://art.net/~hopkins/Don/text/gymble-roulette.html The postscript comment was an oblique reference to the fact that I'd previously gotten in trouble for forwarding Pete's hilarious "Gymble Roulette" email to a mailing list and somehow it found its was back to Pyramid. In my defense, he did say "Tell your friends and loved ones.")
https://en.wikipedia.org/wiki/Pyramid_Technology
Here's the email in which I reported it to the staff mailing list.
P.P.S.: The origin story of Pete's "Gymble Roulette" nick-name is here: http://art.net/~hopkins/Don/text/gymble-roulette.html The postscript comment was an oblique reference to the fact that I'd previously gotten in trouble for forwarding Pete's hilarious "Gymble Roulette" email to a mailing list and somehow it found its was back to Pyramid. In my defense, he did say "Tell your friends and loved ones.")