Bugtraq mailing list archives
Re: RAZOR advisory: Linux util-linux chfn local root vulnerability
From: Andrew Pimlott <andrew () pimlott net>
Date: Tue, 30 Jul 2002 01:35:36 -0400
On Mon, Jul 29, 2002 at 10:51:50AM -0400, Michal Zalewski wrote:
the administrator will most likely add "rm -f /etc/ptmp" or equivalent to his crontab
If he is smart, he will check whether the file is open (eg with fuser) before removing it. So your attack does require an administrator mistake. However! There appears to be an attack that does not require any administrator action.
1. /etc/ptmptmp file is opened with O_WRONLY|O_CREAT, 0644 perms 2. the file is linked to /etc/ptmp, exit on failure 3. /etc/ptmptmp is removed Later, the descriptor obtained in step 1 is used for writing to construct the new /etc/passwd contents. This is done line by line, by calling the fputs() routine. When the new file is ready, three more steps are taken: 4. /etc/passwd.OLD is removed 5. /etc/passwd is linked to /etc/passwd.OLD 6. /etc/ptmp is renamed to /etc/passwd
chfn 1 chfn 2 chfn 3 open /etc/ptmptmp open /etc/ptmptmp link -> /etc/ptmp rm /etc/ptmptmp fputs() ... mv -> /etc/passwd At this point, chfn 2 has a fd open to /etc/passwd. open /etc/ptmptmp ln -> /etc/ptmp rm /etc/ptmptmp fputs() ... chfn 2 is now scribbling over /etc/passwd, and may at some point create an "improved" password entry. This is based on what Michal wrote; I haven't tested it.
step 3 ensures that no process will work on the hardlink of /etc/passwd after the procedure is completed.
If what Michal wrote is complete, it does not. Andrew
Current thread:
- RAZOR advisory: Linux util-linux chfn local root vulnerability Michal Zalewski (Jul 29)
- Re: RAZOR advisory: Linux util-linux chfn local root vulnerability Andrew Pimlott (Jul 30)
- Re: RAZOR advisory: Linux util-linux chfn local root vulnerability Michal Zalewski (Jul 30)
- Re: RAZOR advisory: Linux util-linux chfn local root vulnerability Andrew Pimlott (Jul 30)
- Re: RAZOR advisory: Linux util-linux chfn local root vulnerability Andreas Beck (Jul 31)
- Re: RAZOR advisory: Linux util-linux chfn local root vulnerability Michal Zalewski (Jul 30)
- Re: RAZOR advisory: Linux util-linux chfn local root vulnerability Andrew Pimlott (Jul 30)
- Re: RAZOR advisory: Linux util-linux chfn local root vulnerability Szemkel (Jul 30)