[423] in linux-security and linux-alert archive
URGENT: Linux Security FAQ Update#7: adduser-1.0 script vulnerability
daemon@ATHENA.MIT.EDU (alex)
Wed Oct 18 16:08:35 1995
Date: Tue, 17 Oct 1995 20:34:06 -0400 (EDT)
From: alex <alex@bach.cis.temple.edu>
To: Linux Security Mailing List <linux-security@tarsier.cv.nrao.edu>,
linux-alert@tarsier.cv.nrao.edu
Reply-To: linux-security@tarsier.cv.nrao.edu
[NB: I didn't write the adduser replacement; I just modified it. --okir]
-----BEGIN PGP SIGNED MESSAGE-----
adduser-1.0 Security Vulnerability
LINUX SECURITY FAQ UPDATE
October 17, 1995 15:30:01 EST
Copyright (C) 1995 Alexander O. Yuriev (alex@bach.cis.temple.edu)
CIS Laboratories
TEMPLE UNIVERSITY
U.S.A.
=============================================================================
This is an official update of the Linux security FAQ, and it is supposed to
be signed by one of the following PGP keys:
1024/544C7805 1994/07/17 Jeffrey A. Uphoff <juphoff@nrao.edu>
Jeffrey A. Uphoff <jeff.uphoff@linux.org>
1024/EFE347AD 1995/02/17 Olaf Kirch <okir@monad.swb.de>
1024/ADF3EE95 1995/06/08 Linux Security FAQ Primary Key <Alexander O. Yuriev>
Unless you are able to verify at least one of the signatures, please be very
careful when following instructions.
Linux Security WWW: http://bach.cis.temple.edu/linux/linux-security/
linux-security & linux-alert mailing list archives:
ftp://linux.nrao.edu/pub/linux/security/list-archive/
=============================================================================
VULNERABILITY
*************
The adduser 1.0 script used on a lot of systems to add a
new user account has a potential vulnerability that in some
cases can allow an owner of the created account to gain
unauthorized root access. The original version of this
script had a mistake in the algorithm used to generate a
new UID, which on systems that had accounts with UID
close to 65535 (i.e. accounts 'nobody' with UID -2 or -1)
caused the newly generated account to receive UID 0.
AFFECTED DISTRIBUTIONS:
***********************
RED HAT
=======
Red Hat 2.0 uses a vulnerable version of the adduser
script. Fortunately, Red Hat 2.0 systems by default
do not have any accounts with UID higher than 1000.
Nevertheless, an updated package is available from
the following places:
ftp://ftp.pht.com/pub/linux/redhat/redhat-2.0/updates/RPMS/adduser-1.1-1.i386.rpm
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat2.0/adduser-1.1-1.i386.rpm
ftp://linux.nrao.edu/pub/people/alex/DISTRIBUTION-FIXES/RedHat2.0/adduser-1.1-1.i386.rpm
Please verify the MD5 message digest of the
upgrade before installing. It has to be :
MD5 (adduser-1.1-1.i386.rpm) = 543fab52c0cf6ae4751858d08cf958bd
The upgrade can be performed using command
rpm -USvh adduser-1.1-1.i386.rpm
CALDERA DESKTOP
===============
Unfortunately at this time we are not able to
provide adequate information about vulnerability
of the Caldera Desktop, though due to the fact that
Caldera Desktop is based up RedHat 2.0, we recommend
installing the updated adduser script.
SLACKWARE
=========
By default Slackware does not use the vulnerable
adduser script, although we do recommend that you
check. If it does, replace your adduser script with
the one located on:
ftp://bach.cis.temple.edu/pub/Linux/Security/adduser-1.1-ok.gz
ftp://linux.nrao.edu/pub/people/alex/adduser-1.1-ok.gz
Please verify the MD5 message digest of the
adduser-1.1-ok.gz before installing it. It has to be:
MD5 (adduser-1.1-ok.gz) = ceadb362f6761c59fc8e37e5ef7dcd29
OTHER DISTRIBUTIONS:
Please follow the instructions under Slackware section.
THE REPLACEMENT SCRIPT
**********************
The replacement script was written by Olaf Kirch some time
ago (probably when we discussed the possibility of roll-over
in the linux-security mailing list). This script also uses
a bit different algorithm of user ID allocation (first
unused userid after uid of 500).
CREDITS
*******
The following people helped in preparing this update and fix:
Marc R. Ewing <marc@redhat.com>
Olaf Kirch <okir@monad.swb.de>
Jennifer Burke
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMIRHPIxFUz2t8+6VAQHCfwP+NK3JiT93q0x7gyJnh37KlUqvRA66ssj2
YCamjV87yNqB5419ctWOe9nPwUMelYuFXnR7cw+a7HMhmFM7nXnOhB3TN5Rari+U
MCKkhxnIpwrPh/c6MPsX3mVXW9XW/7sDeCOTdXqUJC9dveY0OHxdd6T639u5UcAA
Y9HK6NmGUt4=
=tzew
-----END PGP SIGNATURE-----
