ChangePassword Lets Local Users Obtain Root Privileges
|
|
SecurityTracker Alert ID: 1012601
|
|
SecurityTracker URL: http://securitytracker.com/id?1012601
|
|
CVE Reference: CAN-2004-1263
(Links to External Site)
|
Updated: Dec 23 2004
|
Original Entry Date: Dec 16 2004
|
Impact: Execution of arbitrary code via local system, Root access via local system
|
Exploit Included: Yes
|
Version(s): 0.8
|
Description: A vulnerability was reported in ChangePassword. A local user can obtain root privileges on the target system.
D. J. Bernstein reported that a local user can invoke 'changepassword.cgi' on UNIX-based systems to execute arbitrary commands with
root privileges. The script is installed with set user id (setuid) root user privileges by default. The script does not validate
user-supplied environment variables, so a local user can set the PATH to point to a specially crafted version of 'make' and then
submit a POST request directly to the application via the environment (rather than via HTTP) to execute the make application with
root privileges. A demonstration exploit request is provided [where 'u' is the username and 'p' is the password]:
form_user=u&form_pw=p&form_new1=x&form_new2=x&
Ariel Berkman is credited with discovering this flaw.
|
Impact: A local user can execute arbitrary programs with root privileges.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: changepassword.sourceforge.net/ (Links to External Site)
|
Cause: Authentication error, Input validation error
|
Underlying OS: UNIX (Any)
|
Reported By: "D. J. Bernstein" <djb@cr.yp.to>
|
Message History:
None.
|
Source Message Contents
|
Date: 15 Dec 2004 08:27:47 -0000
From: "D. J. Bernstein" <djb@cr.yp.to>
Subject: [local] [control] ChangePassword 0.8 runs setuid shell
|
Ariel Berkman, a student in my Fall 2004 UNIX Security Holes course,
has discovered a locally exploitable security hole in ChangePassword, a
YP/Samba/Squid password-changing tool. I'm publishing this notice, but
all the discovery credits should be assigned to Berkman.
If changepassword.cgi is installed on a multiuser computer, any user
with an account on the computer can seize control of the computer. He
can read and modify every user's files, watch all programs running, etc.
(The attack doesn't work on Linux systems where /bin/sh drops setuid,
but changepassword.cgi itself doesn't work on those systems.)
Here's the bug: Line 317 of changepassword.c, without cleaning its
environment in any way, calls system("cd /var/yp && make &> /dev/null");
the Makefile arranges for changepassword.cgi to be setuid root (mode
4755). A user can set $PATH to point to his own make program, set
$CONTENT_LENGTH to 512, set $REQUEST_METHOD to POST, and feed
form_user=u&form_pw=p&form_new1=x&form_new2=x&
to changepassword.cgi, where u is his username and p is his password.
The user's make program then runs with root privileges.
---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago
P.S. Berkman comments that there are several buffer overflows in main(),
but that exploiting these buffer overflows isn't trivial since main()
never returns.
|
|
