Re: RAZOR advisory: Linux util-linux chfn local root vulnerability

[Andrew Pimlott <andrew () pimlott net>]

On Mon, Jul 29, 2002 at 10:51:50AM -0400, Michal Zalewski wrote:
>    the administrator will most likely add "rm -f /etc/ptmp" or
>    equivalent to his crontab

If he is smart, he will check whether the file is open (eg with
fuser) before removing it.  So your attack does require an
administrator mistake.

However!  There appears to be an attack that does not require any
administrator action.

>     1. /etc/ptmptmp file is opened with O_WRONLY|O_CREAT, 0644 perms  
>     2. the file is linked to /etc/ptmp, exit on failure
>     3. /etc/ptmptmp is removed
>
>    Later, the descriptor obtained in step 1 is used for writing to     
>    construct the new /etc/passwd contents. This is done line by line, by
>    calling the fputs() routine. When the new file is ready, three more
>    steps are taken:
>
>     4. /etc/passwd.OLD is removed
>     5. /etc/passwd is linked to /etc/passwd.OLD
>     6. /etc/ptmp is renamed to /etc/passwd

    chfn 1              chfn 2              chfn 3

    open /etc/ptmptmp   open /etc/ptmptmp
    link -> /etc/ptmp
    rm /etc/ptmptmp
    fputs() ...
    mv -> /etc/passwd

At this point, chfn 2 has a fd open to /etc/passwd.

                                            open /etc/ptmptmp
                        ln -> /etc/ptmp
                        rm /etc/ptmptmp
                        fputs() ...

chfn 2 is now scribbling over /etc/passwd, and may at some point
create an "improved" password entry.

This is based on what Michal wrote; I haven't tested it.

>    step 3 ensures that no process will work on the hardlink of
>    /etc/passwd after the procedure is completed.

If what Michal wrote is complete, it does not.

Andrew