Hello. I received the attached material just today. I did not test if the hole is already there, but from the posting, it is absolutely clean *what* must be done and only exactly *when* this must be done is left as exercise. I am sending this mail to all addreses mentioned in the original posting except for comp.security.unix. I would like to point out the following: 1) /usr/bin/passwd on our SunOSes has link count == 5: /usr/bin/passwd /usr/bin/chfn /usr/bin/chsh /usr/bin/ypchfn /usr/bin/ypchsh Then # cd /bin # mv passwd passwd.old ; chmod 700 passwd.old # cp passwd.old passwd; chmod 4711 passwd makes all *fn programs above executable only by root. This is probably not the desired behavior. Hopefully # cp -p passwd passwd.orig # chmod 0 passwd.orig is better solution. 2) After applying the patch suggested, any user still can do the following: # cd /tmp # ln -s passwd /bin/yppasswd and we are just in the same situation like before patching /usr/bin/passwd. Worse, now we believe that the hole has been carefully closed. [ This assumes that /usr/bin/passwd and /bin/yppasswd are binary identical and setuid to root - diff, sum and ls on our SunOS 4.1.3 say "YES". ] Good luck, Eduard Vopicka > >From: 8lgm@bagpuss.demon.co.uk ([8LGM] Security Team) > >Newsgroups: comp.security.unix > >Subject: [8lgm]-Advisory-7.UNIX.passwd.11-May-1994 > >Date: 13 May 1994 04:21:05 GMT > >Lines: 343 > >Expires: 30 Dec 1995 00:00:00 GMT > >Message-Id: <8LGM.94May13052106@bagpuss.demon.co.uk> > >NNTP-Posting-Host: localhost > > This advisory has been sent to: > > comp.security.unix > > BUGTRAQ <bugtraq@crimelab.com> > CERT/CC <cert@cert.org> > Sun Microsystems <security-alert@sun.com> > > =========================================================================== > [8lgm]-Advisory-7.UNIX.passwd.11-May-1994 > > > PROGRAM: > > passwd(1) (/usr/bin/passwd) > > VULNERABLE OS's: > > SunOS 4.1.x > > DESCRIPTION: > > passwd(1) allows any user to specify the password file to be > used (passwd(1) updates the file as root.) Using a program > which changes the absolute path of this passwd file at carefully > selected points during the execution of passwd(1), changes can > be written to a directory of our choice. > > IMPACT: > > Any user with access to passwd(1) can become root. > > WORKAROUND & FIX: > > 1. Contact your vendor for a patch. > > 2. Patch the passwd binary to remove the '-F' option. > > > # cd /bin > > # mv passwd passwd.old; chmod 700 passwd.old > > # cp passwd.old passwd > > # adb -w - passwd > not core file = passwd > > /l 'F:' > 0x68de > > The above address is required in the following step: > > > 0x68de/w 0 > 0x68de: 0x463a = 0x0 > <CTRL-D> > > # chmod 4711 /bin/passwd > > # /bin/passwd -F /tmp/WinnersBlues > passwd: illegal option -- F > Usage: passwd [-l|-y] [-F file] [-afs] [-d user] [-e user] > [-n numdays user] [-x numdays user] [user] > # > > If passwd -F complains at this stage, you have successfully > disabled the option. > > > ------- End of Forwarded Message -- "Eduard Vopicka, Computing Centre, Prague University of Economics, W. Churchill Square 4, CZ 130 67 Prague 3" <Eduard.Vopicka@vse.cz>