Bugtraq mailing list archives

Re: OpenBSD xlock exploit

From: Riley Hassell <riley () SPEAKEASY NET>
Date: Mon, 9 Oct 2000 10:30:12 -0700

What about the chsh,chfn passwd locking problem?

I have talked to several admins who have had the problem with the locked
passwd file. Yet there is no information online on how to fix it.

In this case it's just: rm -rf /etc/ptmp

OPENBSD chsh,chfn locking issue:
chfn,Control+Z to through it in the background, then kill the process
leaving the stale lock-file /etc/ptmp.

Now users cannot execute chsh,chfn.

previous conversation >>>>>>>

From riley () speakeasy net Tue Sep 19 05:55:33 2000 +0000

Status: R
Message-Id: <200009190555.e8J5tR902625 () cvs openbsd org>
To: Riley Hassell <riley () speakeasy net>
Subject: Re: Denial of Service
In-reply-to: Your message of "Mon, 18 Sep 2000 22:13:21 PDT."
             <Pine.LNX.4.21.0009182210420.5517-100000 () web0 speakeasy net>
Date: Mon, 18 Sep 2000 23:55:27 -0600
From: Theo de Raadt <deraadt () cvs openbsd org>

I have found a small vulnerability in the chfn/chsh commands on OpenBSD
2.7 that allows someone with a local account to lock up the passwd file.

Who should I notify to help get this fixed?


We already know about that.  We don't know how to fix it.

End conversation >>>>>>>




I have yet to see a fix....


Also, maybe you guys shouldn't riddle all of your utils with getlogin().

;) xterm -ut doesn't write to the utmp


grep work's really well, "man grep"



Riley Hassell
Network Security Consultant
riley () speakeasy org http://cyphernaut.net


On Fri, 6 Oct 2000, Theo de Raadt wrote:

why dont you tell people about shit like this then all this comotion can
be avoided.


We did.

Like K2 said.. maybe a mention in the CHANGELOG


You mean, like how http://www.openbsd.org/plus.html contains a big fat
red marker about this issue, and has since the day we fixed the bug?

Or how http://www.openbsd.org/security.html#27 has a big note pointing
to the errata entry?

Or how about how even http://www.openbsd.org/errata.html has a big block
about it, and a link to the patch file.

I am sorry, but you and K2 are out of line when you say that we didn't
tell the world about this.  We did.

or an advisory written,


For xlock, we did not write an advisory, but it was pretty clear on
bugtraq that it affected pretty much everyone.  Why are you so
surprised?  Are you perhaps just out of touch?

instead of fixing a problem and not notifying other users of a
specific security vulnerability in particular application.


When we know, or deeply suspect, that something is a security hole, we
put patches out.

However, when we fix a couple hundred format string bugs, we do not
post a patch for everyone of them.  Nor do we do all that much
thinking about which ones are going to be exploitable, since we don't
write exploits, and also tend to be rather busy with a whole bunch of
other stuff too.

You'll note that we were real sure the ftpd one was, and we did put a
patch out for that.  For talkd, we still don't know.  We have a curses
patch too for setuid/setgid programs that end up loading
$HOME/.termlib when they shouldn't, since then they run into the
hundreds of other potential bugs in curses.  Those errata entry are
going up within the hour.  The chain of command did break down, I
mean, I am even in Sweden and these errata should have gone out the
hour that we became aware of potential things, considering fixes were
written before we knew they were real security issues.

We do not want to cry wolf.

So, and I see this with sincere sarcasm, do you want me to post all of
our patches for all of our format string fixes?  I can, if you really
want.  Think about where bugtraq would head if we were to do that.

Current thread:

OpenBSD xlock exploit Noir Desir (Oct 05)
- <Possible follow-ups>
- Re: OpenBSD xlock exploit lunguz (Oct 05)
- Re: OpenBSD xlock exploit Theo de Raadt (Oct 06)
- Re: OpenBSD xlock exploit Theo de Raadt (Oct 08)
  - Re: OpenBSD xlock exploit Darren Reed (Oct 09)
  - Re: OpenBSD xlock exploit Riley Hassell (Oct 10)