Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!cs.utexas.edu!uunet!mcsun!ukc!mucs!liv-cs!rkl
From: rkl@anduin.cs.liverpool.ac.uk
Newsgroups: comp.sys.hp
Subject: Serious security bug with passwd(1) in HP-UX
Message-ID: <1990Aug22.155715.15365@anduin.cs.liverpool.ac.uk>
Date: 22 Aug 90 14:57:14 GMT
Organization: Computer Science, Liverpool University
Lines: 25

There appears to be what I would consider to be a serious security bug
with both HP-UX 6.5 (or 3.1) and 7.0 running on HP9000 kit (both series
300 and 800):

Login as root and type "passwd". Press RETURN only at each of the two
password prompts and - hey presto ! - root now has a blank password and
NO WARNING IS GIVEN (it's bad enough that it allows it in the first place).

The /etc/passwd entry for root appears to have a non-null crypted password,
but it's actually a null password encypted by crypt ! This is even more
dangerous, because programs like pwck won't pick this up.

I've tried the same thing on an HLH Orion BSD 4.2 machine as root and it
immediately rejects a blank password at the first New Password prompt.

I thought this was important enough to be mentioned net-wide - how many
times do you leave your console unattended with root logged in ...? I feel
that "passwd" should prompt for the old password in the same way as "yppasswd"
does and should disallow blank passwords.

Richard K. Lloyd,       *** This is a MicroVAX II running VAX/VMS V5.3-1 ***
Computer Science Dept., * JANET     : RKL@UK.AC.LIV.CS.AND or              *
Liverpool University,   *             RKL@000010500211.FTP.MAIL            *
Merseyside, England,    * Internet  : RKL%and.cs.liv.ac.uk@cunyvm.cuny.edu *
Great Britain.          ***       Please note: New e-mail address !      ***