Major passwd hole in SunOS (???!!!)

Eduard Vopicka (Eduard.Vopicka@vse.cz)
Mon, 16 May 1994 11:42:44 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Perry E. Metzger: "permissions"
Previous message: Andrew Beckett: "Re: wolves and sheep on the inet"

Hello.

I received the attached material just today. I did not test if the hole is
already there, but from the posting, it is absolutely clean *what* must be
done and only exactly *when* this must be done is left as exercise.

I am sending this mail to all addreses mentioned in the original posting
except for comp.security.unix.

I would like to point out the following:

1) /usr/bin/passwd on our SunOSes has link count == 5:
	/usr/bin/passwd
	/usr/bin/chfn
	/usr/bin/chsh
	/usr/bin/ypchfn
	/usr/bin/ypchsh
Then
	# cd /bin
	# mv passwd passwd.old ; chmod 700 passwd.old
	# cp passwd.old passwd; chmod 4711 passwd
makes all *fn programs above executable only by root. This is probably not
the desired behavior. Hopefully
	# cp -p passwd passwd.orig
	# chmod 0 passwd.orig
is better solution.

2) After applying the patch suggested, any user still can do the following:
	# cd /tmp
	# ln -s passwd /bin/yppasswd
and we are just in the same situation like before patching /usr/bin/passwd.
Worse, now we believe that the hole has been carefully closed.
[ This assumes that /usr/bin/passwd and /bin/yppasswd are binary identical and
  setuid to root - diff, sum and ls on our SunOS 4.1.3 say "YES". ]

Good luck,

Eduard Vopicka

> >From: 8lgm@bagpuss.demon.co.uk ([8LGM] Security Team)
> >Newsgroups: comp.security.unix
> >Subject: [8lgm]-Advisory-7.UNIX.passwd.11-May-1994
> >Date: 13 May 1994 04:21:05 GMT
> >Lines: 343
> >Expires: 30 Dec 1995 00:00:00 GMT
> >Message-Id: <8LGM.94May13052106@bagpuss.demon.co.uk>
> >NNTP-Posting-Host: localhost
> 
> This advisory has been sent to:
> 
>         comp.security.unix
> 
>         BUGTRAQ                 <bugtraq@crimelab.com>
>         CERT/CC                 <cert@cert.org>
>         Sun Microsystems        <security-alert@sun.com>
> 
> ===========================================================================
>                 [8lgm]-Advisory-7.UNIX.passwd.11-May-1994
> 
> 
> PROGRAM:
> 
>         passwd(1)        (/usr/bin/passwd)
> 
> VULNERABLE OS's:
> 
>         SunOS 4.1.x
> 
> DESCRIPTION:
> 
>         passwd(1) allows any user to specify the password file to be
>         used (passwd(1) updates the file as root.)  Using a program
>         which changes the absolute path of this passwd file at carefully
>         selected points during the execution of passwd(1), changes can
>         be written to a directory of our choice.
> 
> IMPACT:
> 
>         Any user with access to passwd(1) can become root.
> 
> WORKAROUND & FIX:
> 
>         1. Contact your vendor for a patch.
> 
> 	2. Patch the passwd binary to remove the '-F' option.
> 
> >	# cd /bin
> >	# mv passwd passwd.old; chmod 700 passwd.old
> >	# cp passwd.old passwd
> >	# adb -w - passwd
> 	not core file = passwd
> >	/l 'F:'
> 	0x68de
> 
> The above address is required in the following step:
> 
> >	0x68de/w 0
> 	0x68de:         0x463a  =       0x0
> 	<CTRL-D>
> >	# chmod 4711 /bin/passwd
> >	# /bin/passwd -F /tmp/WinnersBlues
> 	passwd: illegal option -- F
> 	Usage: passwd [-l|-y] [-F file] [-afs] [-d user] [-e user]
> 	        [-n numdays user] [-x numdays user] [user]
> 	# 
> 
> 	If passwd -F complains at this stage, you have successfully
> 	disabled the option.
> 
> 
> ------- End of Forwarded Message

-- 
"Eduard Vopicka, Computing Centre, Prague University of Economics,
W. Churchill Square 4, CZ 130 67 Prague 3" <Eduard.Vopicka@vse.cz>

Next message: Perry E. Metzger: "permissions"
Previous message: Andrew Beckett: "Re: wolves and sheep on the inet"