Format string vulnerability in libutil pw_error(3) function

Overview

There is an input validation vulnerability in the OpenBSD libutil system library that allows local users to gain superuser access via the chpass utility.

Description

On June 30, 2000, the OpenBSD development team repaired an input validation vulnerability in the pw_error function of the OpenBSD 2.7 libutil library.

It was later discovered that when this function is called by the setuid program /usr/bin/chpass on unpatched systems, it is possible for users to obtain superuser access.

---

Impact

Attackers with an account on affected systems can obtain superuser access via the chpass utility.

---

Solution

Apply a patch from your vendor.
See the vendors section of this document for further information from your vendor.

---

The CERT/CC recommends that vulnerable users protect their systems by removing the SUID bit on chpass.

---

Vendor Information

369427

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

FreeBSD __ Affected

Notified: October 24, 2000 Updated: October 31, 2000

Status

Affected

Vendor Statement

FreeBSD was also vulnerable to this problem since the affected code has a common ancestor. Like OpenBSD, we fixed the problem during security auditing in 2000/07, but did not realise it to be a security vulnerability since the function is not part of a library on FreeBSD, but the source code file containing the function is included directly in the affected setuid programs. FreeBSD 3.5.1 and 4.0 are the most recent affected versions - 4.1 and 4.1.1 are unaffected.

An advisory is under preparation and will likely be released on 2000/10/30.

Kris

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23369427 Feedback>).

NetBSD __ Affected

Notified: October 24, 2000 Updated: October 27, 2000

Status

Affected

Vendor Statement

NetBSD-1.4.2 and prior releases are vulnerable; the forthcoming 1.4.3 and 1.5 releases will have this problem fixed. We will be issuing an advisory (similar to the OpenBSD advisory) in the next day or two, with a patch included.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23369427 Feedback>).

OpenBSD __ Affected

Notified: October 24, 2000 Updated: November 17, 2000

Status

Affected

Vendor Statement

From the OpenBSD Security Advisory:

"This vulnerability affects OpenBSD versions through 2.7. FreeBSD 4.0 is vulnerable, but patches have been backported, and FreeBSD versions 4.1 and
4.1.1 are safe. Bill Sommerfield committed a fix to NetBSD today shortly after we notified him of the problem.

OpenBSD users running -current (2.8-beta) with a system dated July 1st or thereafter are safe."

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

OpenBSD has provided a patch for this vulnerability at:

<http://www.openbsd.org/errata.html&gt; (025).

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23369427 Feedback>).

Apple __ Not Affected

Notified: October 24, 2000 Updated: October 27, 2000

Status

Not Affected

Vendor Statement

This notification is in regards to CERT Advisory “Input validation vulnerability in OpenBSD libutil library” (VU#369427).

Mac OS X is not vulnerable to the input validation vulnerability in the OpenBSD libutil library.

--
Eric Zelenka
[email protected]
Apple Computer, Inc.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23369427 Feedback>).

BSDI __ Not Affected

Notified: October 24, 2000 Updated: October 27, 2000

Status

Not Affected

Vendor Statement

No versions of BSD/OS are vulnerable to this problem.

-Jeff Polk, BSDI

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23369427 Feedback>).

Compaq Computer Corporation __ Not Affected

Notified: October 24, 2000 Updated: October 27, 2000

Status

Not Affected

Vendor Statement

SOURCE: © Copyright 2000 Compaq Computer Corporation. All rights reserved.

SOURCE: Compaq Computer Corporation

Compaq Services
Software Security Response Team USA
This reported problem is not present in Compaq Tru64/UNIX Operating Systems Software.

- Compaq Computer Corporation

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23369427 Feedback>).

Fujitsu __ Not Affected

Notified: October 23, 2000 Updated: January 20, 2001

Status

Not Affected

Vendor Statement

Fujitsu’s UXP/V is not vulnerable to this problem.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23369427 Feedback>).

Hewlett Packard __ Not Affected

Notified: October 24, 2000 Updated: January 03, 2001

Status

Not Affected

Vendor Statement

HP does not have a libutil and we don’t offer a command called chpass. (Any password changes are done via the command options or SAM). Further, we don’t support a function called pw_error.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23369427 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.securityfocus.com/bid/1744&gt;
• <http://www.openbsd.org/errata.html (025)>
• <ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/025_pw_error.patch&gt;

Acknowledgements

This document was written by Jeffrey P. Lanza.

Other Information

CVE IDs:	CVE-2000-0993
Severity Metric:	11.16 Date Public: