Major passwd hole in SunOS (???!!!)

[Eduard.Vopicka () vse cz (Eduard Vopicka)]

Hello.

I received the attached material just today. I did not test if the hole is
already there, but from the posting, it is absolutely clean *what* must be
done and only exactly *when* this must be done is left as exercise.

I am sending this mail to all addreses mentioned in the original posting
except for comp.security.unix.

I would like to point out the following:

1) /usr/bin/passwd on our SunOSes has link count == 5:
        /usr/bin/passwd
        /usr/bin/chfn
        /usr/bin/chsh
        /usr/bin/ypchfn
        /usr/bin/ypchsh
Then
        # cd /bin
        # mv passwd passwd.old ; chmod 700 passwd.old
        # cp passwd.old passwd; chmod 4711 passwd
makes all *fn programs above executable only by root. This is probably not
the desired behavior. Hopefully
        # cp -p passwd passwd.orig
        # chmod 0 passwd.orig
is better solution.

2) After applying the patch suggested, any user still can do the following:
        # cd /tmp
        # ln -s passwd /bin/yppasswd
and we are just in the same situation like before patching /usr/bin/passwd.
Worse, now we believe that the hole has been carefully closed.
[ This assumes that /usr/bin/passwd and /bin/yppasswd are binary identical and
  setuid to root - diff, sum and ls on our SunOS 4.1.3 say "YES". ]

Good luck,

Eduard Vopicka

> > From: 8lgm () bagpuss demon co uk ([8LGM] Security Team)
> > Newsgroups: comp.security.unix
> > Subject: [8lgm]-Advisory-7.UNIX.passwd.11-May-1994
> > Date: 13 May 1994 04:21:05 GMT
> > Lines: 343
> > Expires: 30 Dec 1995 00:00:00 GMT
> > Message-Id: <8LGM.94May13052106 () bagpuss demon co uk>
> > NNTP-Posting-Host: localhost
>
> This advisory has been sent to:
>
>         comp.security.unix
>
>         BUGTRAQ                 <bugtraq () crimelab com>
>         CERT/CC                 <cert () cert org>
>         Sun Microsystems        <security-alert () sun com>
>
> ===========================================================================
>                 [8lgm]-Advisory-7.UNIX.passwd.11-May-1994
>
>
> PROGRAM:
>
>         passwd(1)        (/usr/bin/passwd)
>
> VULNERABLE OS's:
>
>         SunOS 4.1.x
>
> DESCRIPTION:
>
>         passwd(1) allows any user to specify the password file to be
>         used (passwd(1) updates the file as root.)  Using a program
>         which changes the absolute path of this passwd file at carefully
>         selected points during the execution of passwd(1), changes can
>         be written to a directory of our choice.
>
> IMPACT:
>
>         Any user with access to passwd(1) can become root.
>
> WORKAROUND & FIX:
>
>         1. Contact your vendor for a patch.
>
>       2. Patch the passwd binary to remove the '-F' option.
>
> >     # cd /bin
> >     # mv passwd passwd.old; chmod 700 passwd.old
> >     # cp passwd.old passwd
> >     # adb -w - passwd
>       not core file = passwd
> >     /l 'F:'
>       0x68de
>
> The above address is required in the following step:
>
> >     0x68de/w 0
>       0x68de:         0x463a  =       0x0
>       <CTRL-D>
> >     # chmod 4711 /bin/passwd
> >     # /bin/passwd -F /tmp/WinnersBlues
>       passwd: illegal option -- F
>       Usage: passwd [-l|-y] [-F file] [-afs] [-d user] [-e user]
>               [-n numdays user] [-x numdays user] [user]
>       # 
>
>       If passwd -F complains at this stage, you have successfully
>       disabled the option.
>
>
> ------- End of Forwarded Message

-- 
"Eduard Vopicka, Computing Centre, Prague University of Economics,
W. Churchill Square 4, CZ 130 67 Prague 3" <Eduard.Vopicka () vse cz>