Re: RAZOR advisory: Linux util-linux chfn local root vulnerability

From: Andrew Pimlott (andrew@pimlott.net)
Date: 07/30/02 

Date: Tue, 30 Jul 2002 01:35:36 -0400
To: Michal Zalewski <lcamtuf@coredump.cx>
From: Andrew Pimlott <andrew@pimlott.net>

On Mon, Jul 29, 2002 at 10:51:50AM -0400, Michal Zalewski wrote:
> the administrator will most likely add "rm -f /etc/ptmp" or
> equivalent to his crontab

If he is smart, he will check whether the file is open (eg with
fuser) before removing it. So your attack does require an
administrator mistake.

However! There appears to be an attack that does not require any
administrator action.

> 1. /etc/ptmptmp file is opened with O_WRONLY|O_CREAT, 0644 perms
> 2. the file is linked to /etc/ptmp, exit on failure
> 3. /etc/ptmptmp is removed
>
> Later, the descriptor obtained in step 1 is used for writing to
> construct the new /etc/passwd contents. This is done line by line, by
> calling the fputs() routine. When the new file is ready, three more
> steps are taken:
>
> 4. /etc/passwd.OLD is removed
> 5. /etc/passwd is linked to /etc/passwd.OLD
> 6. /etc/ptmp is renamed to /etc/passwd

    chfn 1 chfn 2 chfn 3

    open /etc/ptmptmp open /etc/ptmptmp
    link -> /etc/ptmp
    rm /etc/ptmptmp
    fputs() ...
    mv -> /etc/passwd

At this point, chfn 2 has a fd open to /etc/passwd.

                                            open /etc/ptmptmp
                        ln -> /etc/ptmp
                        rm /etc/ptmptmp
                        fputs() ...

chfn 2 is now scribbling over /etc/passwd, and may at some point
create an "improved" password entry.

This is based on what Michal wrote; I haven't tested it.

> step 3 ensures that no process will work on the hardlink of
> /etc/passwd after the procedure is completed.

If what Michal wrote is complete, it does not.

Andrew

Relevant Pages

  • RAZOR advisory: Linux util-linux chfn local root vulnerability
    ... CERT vulnerability note: http://www.kb.cert.org/vuls/id/405955 ... package shipped with Red Hat Linux and numerous other Linux ... up to date that use util-linux to provide chfn and chsh utilities. ... application 'chfn' as an attack vector. ...
    (Bugtraq)
  • [VulnWatch] RAZOR advisory: Linux util-linux chfn local root vulnerability
    ... CERT vulnerability note: http://www.kb.cert.org/vuls/id/405955 ... package shipped with Red Hat Linux and numerous other Linux ... up to date that use util-linux to provide chfn and chsh utilities. ... application 'chfn' as an attack vector. ...
    (VulnWatch)
  • Re: strengthening /dev/urandom
    ... >impossible to show that it's impervious to attack. ... well known PRNG like Fortuna you will not ... much everyone agrees with you on (fortuna) and the part where pretty much ... everybody is convinced that you are completely wrong (removing entropy ...
    (sci.crypt)
  • Re: RAZOR advisory: Linux util-linux chfn local root vulnerability
    ... he will check whether the file is open (eg with fuser) ... So your attack does require an administrator ... The attack itself requires the file to be open, ... happen long after the administor started removing this file routinely. ...
    (Bugtraq)
  • Re: Win32 Needs
    ... Well, instead of removing it, why not adjust it to work properly. ... Then nobody will attack you for removing ...
    (borland.public.delphi.non-technical)