[2661] in bugtraq
[linux-alert] Serious Security hole in getpwnam () [Forwarded
daemon@ATHENA.MIT.EDU (Jeff Uphoff)
Mon Jun 3 14:44:41 1996
Date: Mon, 3 Jun 1996 11:20:57 -0400
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
X-To: bugtraq@crimelab.com, best-of-security@suburbia.net
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
------- start of forwarded message (RFC 934 encapsulation) -------
From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
Sender: owner-linux-alert@tarsier.cv.nrao.edu
To: linux-alert@tarsier.cv.nrao.edu, linux-security@tarsier.cv.nrao.edu
Subject: [linux-alert] Serious Security hole in getpwnam ()
Date: Tue, 28 May 1996 11:02:41 -0400
Reply-To: linux-security@tarsier.cv.nrao.edu
- -----BEGIN PGP SIGNED MESSAGE-----
This is a *very* serious hole that affects Linux-based NIS client
systems. A more formal alert will be posted once a fixed version of
libc has been officially released.
For those that don't want to (or can't) patch and recompile their own
fixed version of libc, I recommend the *immediate* removal of all "stub"
NIS username entries, of the forms described in the attached message,
from /etc/passwd.
- - --Up.
[Please note that the PGP and forwarding encapsulations have modified
the MIME headers and the diff/patch segment.]
- - ------- start of forwarded message (RFC 934 encapsulation) -------
From: Arno Schaefer <aschaefe@crcg.edu>
Sender: schaefer@crcg.edu
Organization: Fraunhofer CRCG, Inc.
To: juphoff@nrao.edu
Subject: Serious Security hole in getpwnam ()
Date: Fri, 24 May 1996 15:37:54 -0400
This is a multi-part message in MIME format.
- - - --------------63DB9C7E36AD404B638D1437
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Jeff,
I just discovered a major security hole in the getpwnam() function
in the current libc (5.3.12, probably present in all previous
versions). It can be exploited if there is an entry in the form
+username::::::
or
-username::::::
or similar in /etc/passwd (an entry to admit or exclude a single user
from the NIS passwd file).
By typing 'su +username' or 'su -- -username' resp. you become root
without being asked for a passwd.
'login' is not vulnerable, so only users with shell access to the
machine can exploit the bug.
I tried it on two different systems that used NIS, both running
Slackware 3.0, libc 5.3.12 and 5.0.9, resp. It can only be used
if an entry of the form described above is present, so many systems
that do not use NIS or that have only a standard '+' entry are safe
against this attack.
This apparently has been know for a long time, since the source for
'login' reads:
/* Dirty patch to fix a gigantic security hole when using
yellow pages. This problem should be solved by the
libraries, and not by programs, but this must be fixed
urgently! If the first char of the username is '+', we
avoid login success.
Feb 95 <alvaro@etsit.upm.es> */
if (username[0] == '+') {
puts("Illegal username");
badlogin(username);
sleepexit(1);
}
but probably due to bad communication it was not fixed in libc.
A similar bug in the same function was fixed over a year ago
('su +' or 'su +@netgroup'), but strangely nobody thought about
'su +username'.
I attach a patch that fixes the hole - it was taken against libc
5.3.12, but should be easily adaptable to other versions. I was
already in contact with H.J. Lu and expect that the next version
of libc will contain this patch.
I think this info should be forwarded to the linux-alert mailing
list.
Regards,
Arno
--
Arno Schaefer - aschaefe@crcg.edu
Fraunhofer Center for Research in Computer Graphics, Providence RI
-- Opinions expressed are my own and not those of Fraunhofer CRCG --
Never attribute to malice that which can be adequately explained by
stupidity
- - - --------------63DB9C7E36AD404B638D1437
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="getpwnam.patch"
Index: getpwnam.c
===================================================================
RCS file: /home/work/cvs/linux/libc/pwd/getpwnam.c,v
retrieving revision 1.5
diff -c -r1.5 getpwnam.c
*** getpwnam.c 1996/05/22 15:49:37 1.5
- - - --- getpwnam.c 1996/05/23 06:59:32
***************
*** 53,58 ****
- - - --- 53,63 ----
register FILE *stream;
register struct passwd *p;
+ #ifdef YP
+ if (name[0] == '-' || name[0] == '+')
+ return NULL;
+ #endif
+
if (info == NULL)
{
info = __pwdalloc();
- - - --------------63DB9C7E36AD404B638D1437--
- - ------- end -------
[Mod: I have also verified the existence of this hole in libc-4.6.27
(a.out). --Jeff.]
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.2, an Emacs/PGP interface
iQCVAwUBMasUZnoDqzGe1QXFAQHvzwQAp0qBxFtHl/+4RkxbvK3HETdpT6n/OOFA
B15kmXdkgcbCtIF5slfgXbB244KMGf3sebNjtC/IBtNRfyDP7e/P+v4poeEEmcyu
BJfc2UxoiE5yK9/L/PgAUgm9exYMVyNT8N9balb509q7eI5gWjhxK9vDb1P0MyI8
NFf2QC7D5mI=
=exlk
- -----END PGP SIGNATURE-----
------- end -------
