[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : chpass family contains local root vulnerability

Title: chpass family contains local root vulnerability
Released by: FreeBSD
Date: 30th October 2000
Printable version: Click here


FreeBSD-SA-00:58                                           Security Advisory

                                                                FreeBSD, Inc.

Topic:          chpass family contains local root vulnerability

Category:       core

Module:         chfn/chpass/chsh/ypchfn/ypchpass/ypchsh/passwd

Announced:      2000-10-30

Credits: Problem fixed during internal auditing.

Vulnerability pointed out by: caddis 

Affects:        FreeBSD 3.x (all releases), FreeBSD 4.0-RELEASE,

FreeBSD 4.0-STABLE prior to the correction date

Corrected:      2000/07/20 (FreeBSD 4.0-STABLE)

2000/10/04 (FreeBSD 3.5.1-STABLE)

FreeBSD only:   NO

I.   Background

ch{fn,pass,sh} are utilities for changing user "finger" information,

passwords, and login shell, respectively. The yp* variants perform the

analogous changes on a NIS account.

II.  Problem Description

A "format string vulnerability" was discovered in code used by the

vipw utility during an internal FreeBSD code audit in July 2000. The

vipw utility does not run with increased privileges and so it was

believed at the time that it did not represent a security

vulnerability. However it was not realised that this code is also

shared with other utilities -- namely chfn, chpass, chsh, ypchfn,

ypchpass, ypchsh and passwd -- which do in fact run setuid root.

Therefore, the problem may be exploited by unprivileged local users to

gain root access to the local machine.

All versions of FreeBSD prior to the correction date including 4.0 and

3.5.1 are vulnerable to this problem, but it was fixed in the 4.x

branch prior to the release of FreeBSD 4.1.

III. Impact

Local users can obtain root privileges on the local machine.

IV.  Workaround

Remove the setuid bit on the following utilities. This has the

side-effect that non-root users cannot change their finger

information, passwords, or login shells.

# chflags noschg /usr/bin/chfn /usr/bin/chpass /usr/bin/chsh

# chmod u-s /usr/bin/chfn /usr/bin/chpass /usr/bin/chsh

# chflags noschg /usr/bin/ypchfn /usr/bin/ypchpass /usr/bin/ypchsh

# chmod u-s /usr/bin/ypchfn /usr/bin/ypchpass /usr/bin/ypchsh

# chflags noschg /usr/bin/passwd

# chmod u-s /usr/bin/passwd

V.   Solution

One of the following:

1) Upgrade your vulnerable FreeBSD system to 4.1-RELEASE,

4.1.1-RELEASE, 4.1.1-STABLE or 3.5.1-STABLE after the respective

correction dates.

2) Apply the patch below and recompile the respective files:

Either save this advisory to a file, or download the patch and

detached PGP signature from the following locations, and verify the

signature using your PGP utility.



Execute the following commands as root:

# cd /usr/src/usr.sbin/vipw

# patch -p < /path/to/patch_or_advisory

# make depend && make all install

# cd /usr/src/usr.bin/chpass/

# make depend && make all install

# cd /usr/src/usr.bin/passwd/

# make depend && make all install

Patch for vulnerable systems:

    --- pw_util.c   1999/08/28 01:20:31     1.17

    +++ pw_util.c   2000/07/12 00:49:40     1.18

    @@ -250,7 +250,7 @@

            extern int _use_yp;

     #endif /* YP */

            if (err)

    -               warn(name);

    +               warn("%s", name);

     #ifdef YP

            if (_use_yp)

                    warnx("NIS information unchanged");


Version: GnuPG v1.0.4 (FreeBSD)

Comment: For info see http://www.gnupg.org







(C) 1999-2000 All rights reserved.