util-linux setpwnam.c Open File Descriptor Race

2002-07-29T14:51:00
ID OSVDB:5164
Type osvdb
Reporter Michal Zalewski(lcamtuf@coredump.cx)
Modified 2002-07-29T14:51:00

Description

Vulnerability Description

The util-linux utilities contain a flaw that may allow a malicious user to gain elevated priviliges. The race condition can be triggered if the attacker is able to successfully execute a complex attack-sequence using /usr/bin/chfn or usr/bin/chsh. The attack requires that the system administrator interacts with the system. He specifically needs to remove /etc/ptmp before the attacker can complete the attack. The flaw, if executed successfully, will allow the attacker to create new entries in /etc/passwd.

Solution Description

Update to version 2.11u or above or patch the sources as follows:

--- util-linux-2.11n-old/login-utils/setpwnam.c Mon Jul 31 08:50:39 2000 +++ util-linux-2.11n/login-utils/setpwnam.c Wed Jun 12 21:37:12 2002 @@ -98,7 +98,8 @@ / sanity check / for (x = 0; x < 3; x++) { if (x > 0) sleep(1); - fd = open(PTMPTMP_FILE, O_WRONLY|O_CREAT, 0644); + // Never share the temporary file. + fd = open(PTMPTMP_FILE, O_WRONLY|O_CREAT|O_EXCL, 0644); if (fd == -1) { umask(oldumask); return -1;

A workaround for this flaw is to remove the setuid flags from /usr/bin/chfn and /usr/bin/chsh.

Short Description

The util-linux utilities contain a flaw that may allow a malicious user to gain elevated priviliges. The race condition can be triggered if the attacker is able to successfully execute a complex attack-sequence using /usr/bin/chfn or usr/bin/chsh. The attack requires that the system administrator interacts with the system. He specifically needs to remove /etc/ptmp before the attacker can complete the attack. The flaw, if executed successfully, will allow the attacker to create new entries in /etc/passwd.

References:

Vendor URL: http://freshmeat.net/projects/util-linux/ Vendor Specific Advisory URL Secunia Advisory ID:7104 Secunia Advisory ID:7413 RedHat RHSA: RHSA-2002:137 Other Advisory URL: http://www.securityfocus.com/archive/1/284866 ISS X-Force ID: 9709 CVE-2002-0638 CERT VU: 405955 Bugtraq ID: 5344