From rafi@tavor.openu.ac.il Tue Jun 4 05:10:17 1996 Received: from sol.cs.openu.ac.il (rafi@sol.cs.openu.ac.il [147.233.32.35]) by suburbia.net (8.7.4/Proff-950810) with SMTP id FAA18690 for ; Tue, 4 Jun 1996 05:10:00 +1000 Received: from localhost by sol.cs.openu.ac.il with SMTP id AA15760 (5.67b/IDA-1.5 for ); Mon, 3 Jun 1996 22:10:07 +0300 Date: Mon, 3 Jun 1996 22:10:06 +0300 (IDT) From: Rafi Sadowsky X-Sender: rafi@sol.cs.openu.ac.il To: Best Of Security List Subject: BoS: [linux-alert] Serious Security hole in getpwnam () [Forwarded e-mail from Jeff Uphoff] (fwd) Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII this regards linux with YOP Rafi -- Rafi Sadowsky rafi@tavor.openu.ac.il [postmaster@openu.ac.il] VoiceMail: +972-3-6460592 FAX: +972-3-6460744 Network Manager | IsraeLi-Academic-Net-CERT(CERT-L@VM.TAU.AC.IL) Open University of Israel | Technical coordinator (PGP key availble by finger) ---------- Forwarded message ---------- Date: Mon, 3 Jun 1996 11:20:57 -0400 From: Jeff Uphoff To: bugtraq@crimelab.com, best-of-security@suburbia.net Subject: BoS: [linux-alert] Serious Security hole in getpwnam () [Forwarded e-mail from Jeff Uphoff] Resent-Date: Tue, 4 Jun 1996 01:21:17 +1000 Resent-From: best-of-security@suburbia.net ------- start of forwarded message (RFC 934 encapsulation) ------- From: Jeff Uphoff Sender: owner-linux-alert@tarsier.cv.nrao.edu To: linux-alert@tarsier.cv.nrao.edu, linux-security@tarsier.cv.nrao.edu Subject: [linux-alert] Serious Security hole in getpwnam () Date: Tue, 28 May 1996 11:02:41 -0400 Reply-To: linux-security@tarsier.cv.nrao.edu - -----BEGIN PGP SIGNED MESSAGE----- This is a *very* serious hole that affects Linux-based NIS client systems. A more formal alert will be posted once a fixed version of libc has been officially released. For those that don't want to (or can't) patch and recompile their own fixed version of libc, I recommend the *immediate* removal of all "stub" NIS username entries, of the forms described in the attached message, from /etc/passwd. - - --Up. [Please note that the PGP and forwarding encapsulations have modified the MIME headers and the diff/patch segment.] - - ------- start of forwarded message (RFC 934 encapsulation) ------- From: Arno Schaefer Sender: schaefer@crcg.edu Organization: Fraunhofer CRCG, Inc. To: juphoff@nrao.edu Subject: Serious Security hole in getpwnam () Date: Fri, 24 May 1996 15:37:54 -0400 This is a multi-part message in MIME format. - - - --------------63DB9C7E36AD404B638D1437 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Jeff, I just discovered a major security hole in the getpwnam() function in the current libc (5.3.12, probably present in all previous versions). It can be exploited if there is an entry in the form +username:::::: or -username:::::: or similar in /etc/passwd (an entry to admit or exclude a single user from the NIS passwd file). By typing 'su +username' or 'su -- -username' resp. you become root without being asked for a passwd. 'login' is not vulnerable, so only users with shell access to the machine can exploit the bug. I tried it on two different systems that used NIS, both running Slackware 3.0, libc 5.3.12 and 5.0.9, resp. It can only be used if an entry of the form described above is present, so many systems that do not use NIS or that have only a standard '+' entry are safe against this attack. This apparently has been know for a long time, since the source for 'login' reads: /* Dirty patch to fix a gigantic security hole when using yellow pages. This problem should be solved by the libraries, and not by programs, but this must be fixed urgently! If the first char of the username is '+', we avoid login success. Feb 95 */ if (username[0] == '+') { puts("Illegal username"); badlogin(username); sleepexit(1); } but probably due to bad communication it was not fixed in libc. A similar bug in the same function was fixed over a year ago ('su +' or 'su +@netgroup'), but strangely nobody thought about 'su +username'. I attach a patch that fixes the hole - it was taken against libc 5.3.12, but should be easily adaptable to other versions. I was already in contact with H.J. Lu and expect that the next version of libc will contain this patch. I think this info should be forwarded to the linux-alert mailing list. Regards, Arno -- Arno Schaefer - aschaefe@crcg.edu Fraunhofer Center for Research in Computer Graphics, Providence RI -- Opinions expressed are my own and not those of Fraunhofer CRCG -- Never attribute to malice that which can be adequately explained by stupidity - - - --------------63DB9C7E36AD404B638D1437 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="getpwnam.patch" Index: getpwnam.c =================================================================== RCS file: /home/work/cvs/linux/libc/pwd/getpwnam.c,v retrieving revision 1.5 diff -c -r1.5 getpwnam.c *** getpwnam.c 1996/05/22 15:49:37 1.5 - - - --- getpwnam.c 1996/05/23 06:59:32 *************** *** 53,58 **** - - - --- 53,63 ---- register FILE *stream; register struct passwd *p; + #ifdef YP + if (name[0] == '-' || name[0] == '+') + return NULL; + #endif + if (info == NULL) { info = __pwdalloc(); - - - --------------63DB9C7E36AD404B638D1437-- - - ------- end ------- [Mod: I have also verified the existence of this hole in libc-4.6.27 (a.out). --Jeff.] - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.2, an Emacs/PGP interface iQCVAwUBMasUZnoDqzGe1QXFAQHvzwQAp0qBxFtHl/+4RkxbvK3HETdpT6n/OOFA B15kmXdkgcbCtIF5slfgXbB244KMGf3sebNjtC/IBtNRfyDP7e/P+v4poeEEmcyu BJfc2UxoiE5yK9/L/PgAUgm9exYMVyNT8N9balb509q7eI5gWjhxK9vDb1P0MyI8 NFf2QC7D5mI= =exlk - -----END PGP SIGNATURE----- ------- end -------