Bugtraq mailing list archives
Re: numerous free/paid account systems are vulnerable to privledgeselevation attacks
From: Bernhard Rosenkraenzer <bero () REDHAT DE>
Date: Fri, 10 Nov 2000 19:45:44 +0100
On Fri, 10 Nov 2000, Michal Zalewski wrote:
This problem is not related to any specific product or solution, but affects pretty huge part of the ISP installations. The problem is a direct effect of the default account creation policy launched by OpenBSD, RedHat, and some other vendors, where every user has it's own, corresponding gid.
If the standard system tools are used in the scripts mentioned in the description, Red Hat Linux is not vulnerable because it checks for this behavior. [root@bero /root]# adduser kmem adduser: group kmem exists - if you want to add this user to that group, use -g. Here's the patch to (linux) shadow-utils we're using: --- shadow-19990827/src/useradd.c.group Wed Jan 19 17:40:48 2000 +++ shadow-19990827/src/useradd.c Wed Jan 19 17:42:04 2000 @@ -1929,6 +1929,19 @@ } /* + * Don't blindly add a user to a group that already exists... + * If you already have a group username, and want to add the user + * to that group, use useradd -g username username. + * --bero + */ + if (! (nflg || gflg)) { + if (getgrnam(user_name)) { + fprintf(stderr, _("%s: group %s exists - if you want to add this user to that group, use -g.\n"), Prog, user_name); + exit(E_NAME_IN_USE); + } + } + + /* * Do the hard stuff - open the files, create the user entries, * create the home directory, then close and update the files. */
Current thread:
- numerous free/paid account systems are vulnerable to privledgeselevation attacks Michal Zalewski (Nov 11)
- Re: numerous free/paid account systems are vulnerable to privledgeselevation attacks Bernhard Rosenkraenzer (Nov 11)
- Re: numerous free/paid account systems are vulnerable to privledgeselevation attacks Alexander Schreiber (Nov 13)
- Re: numerous free/paid account systems are vulnerable to privledgeselevation attacks Michal Zalewski (Nov 13)
- Re: numerous free/paid account systems are vulnerable to privledgeselevation attacks Pavel Korovin (Nov 14)
- Re: numerous free/paid account systems are vulnerable to privledgeselevation attacks Tomasz Kłoczko (Nov 14)
- Re: numerous free/paid account systems are vulnerable to privledgeselevation attacks Michal Zalewski (Nov 13)
- Re: numerous free/paid account systems are vulnerable to privledgeselevation attacks hellman (Nov 14)
- Re: numerous free/paid account systems are vulnerable to privledges elevation attacks Jeff Bachtel (Nov 14)
- Re: numerous free/paid account systems are vulnerable to privledges elevation attacks Michal Zalewski (Nov 14)