Bugtraq mailing list archives
Major passwd hole in SunOS (???!!!)
From: Eduard.Vopicka () vse cz (Eduard Vopicka)
Date: Mon, 16 May 1994 11:42:44 +0200
Hello. I received the attached material just today. I did not test if the hole is already there, but from the posting, it is absolutely clean *what* must be done and only exactly *when* this must be done is left as exercise. I am sending this mail to all addreses mentioned in the original posting except for comp.security.unix. I would like to point out the following: 1) /usr/bin/passwd on our SunOSes has link count == 5: /usr/bin/passwd /usr/bin/chfn /usr/bin/chsh /usr/bin/ypchfn /usr/bin/ypchsh Then # cd /bin # mv passwd passwd.old ; chmod 700 passwd.old # cp passwd.old passwd; chmod 4711 passwd makes all *fn programs above executable only by root. This is probably not the desired behavior. Hopefully # cp -p passwd passwd.orig # chmod 0 passwd.orig is better solution. 2) After applying the patch suggested, any user still can do the following: # cd /tmp # ln -s passwd /bin/yppasswd and we are just in the same situation like before patching /usr/bin/passwd. Worse, now we believe that the hole has been carefully closed. [ This assumes that /usr/bin/passwd and /bin/yppasswd are binary identical and setuid to root - diff, sum and ls on our SunOS 4.1.3 say "YES". ] Good luck, Eduard Vopicka
From: 8lgm () bagpuss demon co uk ([8LGM] Security Team) Newsgroups: comp.security.unix Subject: [8lgm]-Advisory-7.UNIX.passwd.11-May-1994 Date: 13 May 1994 04:21:05 GMT Lines: 343 Expires: 30 Dec 1995 00:00:00 GMT Message-Id: <8LGM.94May13052106 () bagpuss demon co uk> NNTP-Posting-Host: localhostThis advisory has been sent to: comp.security.unix BUGTRAQ <bugtraq () crimelab com> CERT/CC <cert () cert org> Sun Microsystems <security-alert () sun com> =========================================================================== [8lgm]-Advisory-7.UNIX.passwd.11-May-1994 PROGRAM: passwd(1) (/usr/bin/passwd) VULNERABLE OS's: SunOS 4.1.x DESCRIPTION: passwd(1) allows any user to specify the password file to be used (passwd(1) updates the file as root.) Using a program which changes the absolute path of this passwd file at carefully selected points during the execution of passwd(1), changes can be written to a directory of our choice. IMPACT: Any user with access to passwd(1) can become root. WORKAROUND & FIX: 1. Contact your vendor for a patch. 2. Patch the passwd binary to remove the '-F' option.# cd /bin # mv passwd passwd.old; chmod 700 passwd.old # cp passwd.old passwd # adb -w - passwdnot core file = passwd/l 'F:'0x68de The above address is required in the following step:0x68de/w 00x68de: 0x463a = 0x0 <CTRL-D># chmod 4711 /bin/passwd # /bin/passwd -F /tmp/WinnersBluespasswd: illegal option -- F Usage: passwd [-l|-y] [-F file] [-afs] [-d user] [-e user] [-n numdays user] [-x numdays user] [user] # If passwd -F complains at this stage, you have successfully disabled the option. ------- End of Forwarded Message
-- "Eduard Vopicka, Computing Centre, Prague University of Economics, W. Churchill Square 4, CZ 130 67 Prague 3" <Eduard.Vopicka () vse cz>
Current thread:
- Major passwd hole in SunOS (???!!!) Eduard Vopicka (May 16)