Bugtraq mailing list archives

Local vulnerability in libutil derived with FreeBSD 4.4-RC (and earlier)

From: "Przemyslaw Frasunek" <venglin () freebsd lublin pl>
Date: Thu, 20 Sep 2001 21:48:34 +0200

Hello,

OpenSSH derived with FreeBSD 4.4 (and earlier) doesn't drop privileges
before messing with login class capability database. The most problematic
is:

        if (newcommand == NULL && !quiet_login && !options.use_login) {
                fname = login_getcapstr(lc, "copyright", NULL, NULL);
                if (fname != NULL && (f = fopen(fname, "r")) != NULL) {
                        while (fgets(buf, sizeof(buf), f) != NULL)
                                fputs(buf, stdout);
                                fclose(f);

and

                f = fopen(login_getcapstr(lc, "welcome", "/etc/motd",
                    "/etc/motd"), "r");
[...]
                        while (fgets(buf, sizeof(buf), f))
                                fputs(buf, stdout);
                        fclose(f);

in session.c, which allows to read ANY file in system with superuser
privileges, by defining:

default:\
 :copyright=/etc/master.passwd:

or

 :welcome=/etc/master.passwd:

in user's ~/.login_conf.

login(1), which is suid and spawned by telnetd also is vulnerable to similar
attack:

        if (!rootlogin)
                auth_checknologin(lc);
[...]
        (void)setegid(pwd->pw_gid);
        (void)seteuid(rootlogin ? 0 : pwd->pw_uid);

Checking for nologin is performed with superuser privileges.
auth_checklogin() is libutil function which displays nologin file, as
defined in login capability database. User can read ANY file in system by
defining:

default:\
 :nologin=/etc/master.passwd:

FreeBSD core team has been aleady informed and official patches were
incorporated into CVS repository *before* 4.4-RELEASE, although 4.4-RC and
earlier verions are vulnerable and needs to be patched with:

http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/lib/libutil/login_cap.c
?rev=1.17.2.3&content-type=text/plain

Official advisory is pending. It's possible, that other *BSD systems,
supporting login capability database are also vulnerable.

--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw () frasunek com ** PGP: D48684904685DF43EA93AFA13BE170BF *

Current thread:

Local vulnerability in libutil derived with FreeBSD 4.4-RC (and earlier) Przemyslaw Frasunek (Sep 20)
- Re: Local vulnerability in libutil derived with FreeBSD 4.4-RC (and earlier) David Terrell (Sep 20)
  - Re: Local vulnerability in libutil derived with FreeBSD 4.4-RC (and earlier) Alexander Yurchenko (Sep 20)
  - Re: Local vulnerability in libutil derived with FreeBSD 4.4-RC (and earlier) Emre Yildirim (Sep 21)