Star 'Root' Password Readable in Clear Text on Ubuntu Breezy
Linked by Thom Holwerda on Sun 12th Mar 2006 20:46 UTC, submitted by lotusleaf
Ubuntu, Kubuntu, Xubuntu A major, critical bug and possible security threat has been discovered in Ubuntu Breezy. Apparently, the 'root' password (not actually the root password because Ubuntu uses sudo) gets written into the installer's log files in clear text, and can be read by any account on the Ubuntu machine. The bug was first discovered and reproduced on the Ubuntu forums. The bug does not seem to affect Dapper, however, users upgrading from Breezy to Dapper might still be at risk because the log files are not modified. Update: Bug is fixed. Please upgrade.
E-mail Print r 4   156 Comment(s) http://osne.ws/arj
Thread beginning with comment 104052
To read all comments associated with this story, please click here.
rakamaka
Member since:
2005-08-12

Last week I posted this in response to news about MAC hacking and i got modded/slashed down for technicallity that MAC is not opensource bla bla bla....
Well now it is Ubuntu /opensource turn, so I am reposting
-------------------------------------------------
I am debian pure user compile everything myself, and so computer literate.

Linux posters on OSN regularly chide themselves that there are thousands of eyes watching open source code and even if any vulnerability is found will be fixed in minutes. The question is why this simple exploit got into system at first place? What happened to those thousands of eyes? are they sleeping? are they drunk? or are they just living in ivory tower?

Now devels responding to this item have started deflecting average readers attention from 'root cause' of this problem by discussing technicalities of the hack. From average users viewpoint, i ask just one question, over last 2-3 years of ubuntu world how come this simple exploitable command/bug, whatever u call it, slipped under the nose of thousands of delvels around the world?????

FearFactor : it is not 'Rocket Science'(Mark S.) for an experienced Hacker to figure out these type of exploites in future...

Conclusion: number of viruses,bugs,exploites = marketshare * popularity

Reply Bookmark Score: 0

ma_d Member since:
2005-06-29

It only affects one release, which is approximately 6 months old. It doesn't exist in older releases.

The technicalities, as you call them, are why the average user is unaffected by the issue.

The thousands of eyes caught it. This wasn't found by a security researcher. It wasn't found by a developer. It was found by a user. And the thousands of eyes fixed it, in under 24 hours.

Number of exploits has little to do with popularity. The amount of use they get does. There are probably more discovered security holes in FOSS than commercial variants (with the exception of the older IIS), they also tend to get fixed quickly and the diversity of deployment often makes them almost unusable.

Reply Parent Bookmark Score: 2