OPIE -- arbitrary password change

ID E93BC5B0-BB2E-11DA-B2FB-000E0C2E438A
Type freebsd
Reporter FreeBSD
Modified 2006-06-09T00:00:00


Problem Description The opiepasswd(1) program uses getlogin(2) to identify the user calling opiepasswd(1). In some circumstances getlogin(2) will return "root" even when running as an unprivileged user. This causes opiepasswd(1) to allow an unpriviled user to configure OPIE authentication for the root user. Impact In certain cases an attacker able to run commands as a non privileged users which have not explicitly logged in, for example CGI scripts run by a web server, is able to configure OPIE access for the root user. If the attacker is able to authenticate as root using OPIE authentication, for example if "PermitRootLogin" is set to "yes" in sshd_config or the attacker has access to a local user in the "wheel" group, the attacker can gain root privileges. Workaround Disable OPIE authentication in PAM:

sed -i "" -e /opie/s/^/#/ /etc/pam.d/*

or Remove the setuid bit from opiepasswd:

chflags noschg /usr/bin/opiepasswd

chmod 555 /usr/bin/opiepasswd

chflags schg /usr/bin/opiepasswd