My friend a long time ago found a hole in BSD chfn/chsh/chpass vulnerable in all versions FreeBSD 2.x - 4.0. I don't find any possibility how this exploit. I think, readers of this mailing list will appreciate this.
When you run chfn (chfn/chsh/chpass is the same binary on FreeBSD), temporary file in /etc/pw.???? will touch, external editor will be execute (env.variable $EDITOR) with uid of user running chfn. Edit your parameters, delete all characters on the last line in the editor (Other information: entry). After this,
chfn will crash. No core dumped.
I have no time for better analysis. But, problem is in edit.c (function verify ()). Program crash at line 238:
/* Build the gecos field. */
len = strlen(list[E_NAME].save) + strlen(list[E_BPHONE].save) +
strlen(list[E_HPHONE].save) + strlen(list[E_LOCATE].save) +
strlen(list[E_OTHER].save) + 4;
if (!(p = malloc(len)))
err(1, NULL);
(void)sprintf(pw->pw_gecos = p, "%s,%s,%s,%s,%s", list[E_NAME].save,
list[E_LOCATE].save, list[E_BPHONE].save, list[E_HPHONE].save,
list[E_OTHER].save);
Entry list[E_OTHER].save will be set to NULL and strlen (NULL) will crash.
I try to overflow pw->gecos variable, but no sucess, because size of each entry could be MAX_LEN (2048 bytes). I think, it could be the same problem as in cfingerd 1.4.0 gecos overflow.
When temporary file /etc/pw.????? with uid of user is created and chpass crash, there is no possibility how to delete/create/rename this temporary file from /etc (no o+w access on /etc), but you can edit content of this file.
Could be this exploitable? :)
--
w.
. . o O o . . o O o . . o O o . . o O o . . o O o . . o O o . . o O o . .
. .
. wilder_at_hq.alert.sk PGP key: .
o wilder_at_spirit.liquid.sk (0~0) finger wilder o
o wilder_at_tlis.sk -ooO--(_)--Ooo- TTT Talker: o
. luptakpa_at_decef.elf.stuba.sk hq.alert.sk 5678 .
. .
. . o O o . . o O o . . o O o . . o O o . . o O o . . o O o . . o O o . .
<HR NOSHADE>
<UL>
<LI>application/pgp-signature attachment: stored
</UL>
Received on Dec 20 1999
Intro
