FreeBSD login will display secure log notices before password is given
Systems affected: FreeBSD 4.4
FreeBSD ***.com 4.4-RELEASE FreeBSD 4.4-RELEASE #0: Tue Sep 18 11:57:08 PDT 2001
First of all, I should point out that I don't actually run FreeBSD as
my unix flavor, I was working on a friend's machine.
If you try to login as root, you can see security warnings that only
root should see before you ever enter your password.
An obvious exploit would be to login to the machine, enter "root" at
the login prompt, then sit back and watch security messages, which could
be very useful to an attacker to learn about what kind of security the
system has implemented
Make a bad attempt to login to some account (use the wrong password). Then
try to login as root - you will see the "bad login" message after you enter
the "login:" prompt but before you type a password.
Dunno - don't have a FreeBSD system. Presumably the login exec is doing a
setuid before it actually verifies the password?