OpenBSD chpass/chfn/chsh file content leak

2007.10.17
Credit: Marc Bevand
Risk: Low
Local: Yes
Remote: No
CWE: N/A


CVSS Base Score: 3.3/10
Impact Subscore: 4.9/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

"After" Security Advisory Title: OpenBSD chpass/chfn/chsh file content leak Affects: chpass/chfn/chsh from OpenBSD (from 2.0 to 3.2) Advisory ID: ASA-0001 Release Date: 2003-02-03 Author: Marc Bevand <bevand_m (at) epita.fr> URL: http://www.epita.fr/~bevand_m/asa/asa-0001 --oOo-- 0. Table of Contents 0. Table of Contents 1. Introduction 2. Problem 3. Solution 4. Conclusion 5. References 6. Attached files --oOo-- 1. Introduction OpenBSD [1] provides a setuid-root tool, chpass(1) (or chfn, or chsh, which are hard links to the same binary file), that allows editing of the user database information. This tool can be exploited to partially display the content of any file. But to make this happen, the content of the file has to match a very particular format, making the vulnerability practically useless in real-world situations. --oOo-- 2. Problem chpass writes user database information in a temporary file, and supplies it to an editor for changes. While the editor is running, the user can suspend it (^Z), replace the temporary file by a hard link to any file, resume the editor in the foreground, quit it without saving the file, and let chpass process the file for further operations. At this point, chpass will open the file (with root permissions since it is setuid-root), read it line by line and for each of them: - if it is longer than 2048 bytes, abort the reading - if it begins by '#', ignore it - else check the validity of the line Many conditions have to be respected to make a line valid, I will not list them here, they are too many. If the line is valid, chpass processes the next one. Else, if it is invalid and if it begins by "shell:" (whatever the case is) and if the rest of the line contains only printable characters (according to isprint(3)) and if none of them is ':' or ' ', the rest of the line is displayed in an error message. Here is a concrete example, create a file as root: # echo "shell: secret_data" >/tmp/sec # chmod 600 /tmp/sec Then run chpass under ordinary user privileges (lets say that the temporary filename you are editing is ``/var/tmp/pw.Loi22925''): $ chpass # ^Z in the editor [1]+ Stopped chpass $ rm /var/tmp/pw.Loi22925 $ ln /tmp/sec /var/tmp/pw.Loi22925 $ fg # then quit the editor chpass chpass: secret_data: non-standard shell ^^^^^^^^^^^ The string "secret_data" is contained in a file owned by root and readable only by root, but is displayed in this error message. FreeBSD and NetBSD implementations of chpass have been checked. They are not vulnerable since the temporary file is created in the directory ``/etc''. --oOo-- 3. Solution OpenBSD maintainers have been contacted on 2003-02-02 about this issue. The same day, a fix has been committed to the cvs (see the attached file ``asa-0001.openbsd-chpass.cvs-diff''). The new code solves the problem by requiring that the link count be one. --oOo-- 4. Conclusion A fix has been applied to OpenBSD-current. The attached file ``asa-0001.openbsd-chpass.cvs-diff'' contains the related cvs diff. --oOo-- 5. References [1] OpenBSD http://www.openbsd.org --oOo-- 6. Attached files The following file is also available at: http://www.epita.fr/~bevand_m/asa/asa-0001.openbsd-chpass.cvs-diff ---8<-------------- asa-0001.openbsd-chpass.cvs-diff ----------------- Index: edit.c =================================================================== RCS file: /cvs/src/usr.bin/chpass/edit.c,v retrieving revision 1.23 diff -u -r1.23 edit.c --- edit.c 31 Jul 2002 22:08:42 -0000 1.23 +++ edit.c 2 Feb 2003 18:34:02 -0000 @@ -48,6 +48,7 @@ #include <ctype.h> #include <err.h> #include <errno.h> +#include <fcntl.h> #include <paths.h> #include <pwd.h> #include <stdio.h> @@ -152,12 +153,14 @@ char *p, *q; ENTRY *ep; FILE *fp; + int fd; - if (!(fp = fopen(tempname, "r"))) + if ((fd = open(tempname, O_RDONLY|O_NOFOLLOW)) == -1 || + (fp = fdopen(fd, "r")) == NULL) pw_error(tempname, 1, 1); - if (fstat(fileno(fp), &sb)) + if (fstat(fd, &sb)) pw_error(tempname, 1, 1); - if (sb.st_size == 0) { + if (sb.st_size == 0 || sb.st_nlink != 1) { warnx("corrupted temporary file"); goto bad; } ---8<-------------- asa-0001.openbsd-chpass.cvs-diff ----------------- -- Marc Bevand http://www.epita.fr/~bevand_m Computer Science School EPITA - System, Network and Security Dept.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top