[172] in Best-of-Security
BoS: SunOS exploit.
daemon@ATHENA.MIT.EDU (Greg A. Woods)
Tue May 20 19:34:55 1997
Date: Tue, 20 May 1997 16:42:13 -0400 (EDT)
From: woods@most.weird.com (Greg A. Woods)
Cc: best-of-security@suburbia.net
In-Reply-To: Trevor Linton's message
of "Sun, May 18, 1997 13:36:00 +0000"
regarding "BoS: SunOS exploit."
id <Pine.LNX.3.95.970518132950.590A-100000@sedated.net>
Reply-To: woods@weird.com (Greg A. Woods)
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net
[ On Sun, May 18, 1997 at 13:36:00 (+0000), Trevor Linton wrote: ]
> Subject: BoS: SunOS exploit.
>
> Well first off chsh and chfn are +s'ed. This is a bad idea in the first
> Place, Second off chsh and chfn use the function getenv("USER") most
> programs bother to use this instead of geteuid(); getenv("USER") reports
> that the user is root (while geteuid(); would report the real userid) and
> then since chsh and or chfn is +s'ed it'll change root's shell user
> information or ANYONE on the system's information!
First off /usr/bin/chsh and /usr/bin/chfn and /usr/bin/passwd and
/usr/bin/ypchfn and /usr/bin/ypchsh are all the same program and *must*
be setuid-root in order that they be permitted to modify /etc/passwd.
Second, on the SunOS-4.1.1_U1 and SunOS-4.1.4 systems that I have access
to, this program does not use getenv("USER") [in fact it doesn't appear
to use getenv(3) at all -- they are linked shared and thus this is
fairly easy to see if one assumes the libc version would have been used].
Thirdly I can't replicate this problem on the systems I have access to.
My guess is you may be testing with a local version of chfn, not the one
supplied with the operating system. Either that or you may be using an
older version of SunOS (3.x?).
> 3) possibly get the programmers of bash to fix it so USER and
> LOGNAME can't be modified unless it's super-user.
This can be done with the "readonly" builtin: 'readonly USER'. It
doesn't really help protect anything though.
--
Greg A. Woods
+1 416 443-1734 VE3TCP robohack!woods
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
