[linux-alert] Serious Security hole in getpwnam () [Forwarded

[juphoff () tarsier cv nrao edu (Jeff Uphoff)]

------- start of forwarded message (RFC 934 encapsulation) -------
From: Jeff Uphoff <juphoff () tarsier cv nrao edu>
Sender: owner-linux-alert () tarsier cv nrao edu
To: linux-alert () tarsier cv nrao edu, linux-security () tarsier cv nrao edu
Subject: [linux-alert] Serious Security hole in getpwnam ()
Date: Tue, 28 May 1996 11:02:41 -0400
Reply-To: linux-security () tarsier cv nrao edu

- -----BEGIN PGP SIGNED MESSAGE-----

This is a *very* serious hole that affects Linux-based NIS client
systems.  A more formal alert will be posted once a fixed version of
libc has been officially released.

For those that don't want to (or can't) patch and recompile their own
fixed version of libc, I recommend the *immediate* removal of all "stub"
NIS username entries, of the forms described in the attached message,
from /etc/passwd.

- - --Up.

[Please note that the PGP and forwarding encapsulations have modified
the MIME headers and the diff/patch segment.]

- - ------- start of forwarded message (RFC 934 encapsulation) -------
From: Arno Schaefer <aschaefe () crcg edu>
Sender: schaefer () crcg edu
Organization: Fraunhofer CRCG, Inc.
To: juphoff () nrao edu
Subject: Serious Security hole in getpwnam ()
Date: Fri, 24 May 1996 15:37:54 -0400

This is a multi-part message in MIME format.

- - - --------------63DB9C7E36AD404B638D1437
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

 Jeff,

 I just discovered a major security hole in the getpwnam() function
 in the current libc (5.3.12, probably present in all previous
 versions). It can be exploited if there is an entry in the form

 +username::::::
 or
 -username::::::

 or similar in /etc/passwd (an entry to admit or exclude a single user
 from the NIS passwd file).

 By typing 'su +username' or 'su -- -username' resp. you become root
 without being asked for a passwd.

 'login' is not vulnerable, so only users with shell access to the
 machine can exploit the bug.

 I tried it on two different systems that used NIS, both running
 Slackware 3.0, libc 5.3.12 and 5.0.9, resp. It can only be used
 if an entry of the form described above is present, so many systems
 that do not use NIS or that have only a standard '+' entry are safe
 against this attack.

 This apparently has been know for a long time, since the source for
 'login' reads:

               /* Dirty patch to fix a gigantic security hole when using
                  yellow pages. This problem should be solved by the
                  libraries, and not by programs, but this must be fixed
                  urgently! If the first char of the username is '+', we
                  avoid login success.
                  Feb 95 <alvaro () etsit upm es> */

                if (username[0] == '+') {
                    puts("Illegal username");
                    badlogin(username);
                    sleepexit(1);
                }

 but probably due to bad communication it was not fixed in libc.
 A similar bug in the same function was fixed over a year ago
 ('su +' or 'su +@netgroup'), but strangely nobody thought about
 'su +username'.

 I attach a patch that fixes the hole - it was taken against libc
 5.3.12, but should be easily adaptable to other versions. I was
 already in contact with H.J. Lu and expect that the next version
 of libc will contain this patch.

 I think this info should be forwarded to the linux-alert mailing
 list.

 Regards,

 Arno

 --
 Arno Schaefer - aschaefe () crcg edu
 Fraunhofer Center for Research in Computer Graphics, Providence RI
 -- Opinions expressed are my own and not those of Fraunhofer CRCG --
 Never attribute to malice that which can be adequately explained by
 stupidity

- - - --------------63DB9C7E36AD404B638D1437
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="getpwnam.patch"

Index: getpwnam.c
===================================================================
RCS file: /home/work/cvs/linux/libc/pwd/getpwnam.c,v
retrieving revision 1.5
diff -c -r1.5 getpwnam.c
*** getpwnam.c  1996/05/22 15:49:37     1.5
- - - --- getpwnam.c    1996/05/23 06:59:32
***************
*** 53,58 ****
- - - --- 53,63 ----
    register FILE *stream;
    register struct passwd *p;

+ #ifdef YP
+   if (name[0] == '-' || name[0] == '+')
+     return NULL;
+ #endif
+
    if (info == NULL)
      {
        info = __pwdalloc();

- - - --------------63DB9C7E36AD404B638D1437--
- - ------- end -------

[Mod: I have also verified the existence of this hole in libc-4.6.27
(a.out).  --Jeff.]

- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.2, an Emacs/PGP interface

iQCVAwUBMasUZnoDqzGe1QXFAQHvzwQAp0qBxFtHl/+4RkxbvK3HETdpT6n/OOFA
B15kmXdkgcbCtIF5slfgXbB244KMGf3sebNjtC/IBtNRfyDP7e/P+v4poeEEmcyu
BJfc2UxoiE5yK9/L/PgAUgm9exYMVyNT8N9balb509q7eI5gWjhxK9vDb1P0MyI8
NFf2QC7D5mI=
=exlk
- -----END PGP SIGNATURE-----
------- end -------