Bugtraq: SunOS exploit.

[blind () SEDATED NET (Trevor Linton)]

On sunos, if you execute a clean bash shell then type, export USER="root"
then USER=$LOGNAME, then execute chsh root or chfn root you can change
the root information.

 Why?

 Well first off chsh and chfn are +s'ed.  This is a bad idea in the first
Place, Second off chsh and chfn use the function getenv("USER") most
programs bother to use this instead of geteuid(); getenv("USER") reports
that the user is root (while geteuid(); would report the real userid) and
then since chsh and or chfn is +s'ed it'll change root's shell user
information or ANYONE on the system's information!

 On the SunOS system i have i've been able to lock out ANYONES shell
using this exploit and locking out root's shell as well as changing
anyones NAME info in /etc/passwd etc.. etc.. any program that uses
getenv("USER") is vunerable (that's in bash). tcsh and some other
shells i remember don't allow USER and LOGNAME modifying. :\

 Anyways here's a rough patch:
        1) -s the programs that use getenv(); such as chsh and chfn
        2) remove getenv() and replace it with geteuid();
        3) possibly get the programmers of bash to fix it so USER and
           LOGNAME can't be modified unless it's super-user.

I'm sure theres a way to get root from this exploit butta.. :) oh well.

Trevor Linton (blind) - blind () sedated net support () hax0r org
Swingin' Utters. a juvenile product of the working class.

"People who are having trouble communicating should just shuttup"