BSD on VAX passwd Lockfile File Size Limit Local DoS

1986-06-26T00:00:00
ID OSVDB:634
Type osvdb
Reporter Andrew Findlay()
Modified 1986-06-26T00:00:00

Description

Vulnerability Description

BSD contains a flaw that may allow a local denial of service. The issue is triggered when a malicious user limits filesizes to 1k before using passwd. The passwd program will copy the first 1k of data from /etc/passwd into the lock file /etc/ptmp. Once 1k of data is copied, passwd will die and the lock file will remain, resulting in a loss of availability for changing passwords.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: copy the code from chsh or chfn that sets the CPU time and filesize limits to infinity and recompile the passwd binary.

Short Description

BSD contains a flaw that may allow a local denial of service. The issue is triggered when a malicious user limits filesizes to 1k before using passwd. The passwd program will copy the first 1k of data from /etc/passwd into the lock file /etc/ptmp. Once 1k of data is copied, passwd will die and the lock file will remain, resulting in a loss of availability for changing passwords.

Manual Testing Notes

> limit filesize 1 > passwd

References:

Mail List Post: http://securitydigest.org/unix/archive/024