diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-00:58.chpass.asc')
-rw-r--r-- | share/security/advisories/FreeBSD-SA-00:58.chpass.asc | 111 |
1 files changed, 0 insertions, 111 deletions
diff --git a/share/security/advisories/FreeBSD-SA-00:58.chpass.asc b/share/security/advisories/FreeBSD-SA-00:58.chpass.asc deleted file mode 100644 index a30972e547..0000000000 --- a/share/security/advisories/FreeBSD-SA-00:58.chpass.asc +++ /dev/null @@ -1,111 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- - -============================================================================= -FreeBSD-SA-00:58 Security Advisory - FreeBSD, Inc. - -Topic: chpass family contains local root vulnerability - -Category: core -Module: chfn/chpass/chsh/ypchfn/ypchpass/ypchsh/passwd -Announced: 2000-10-30 -Credits: Problem fixed during internal auditing. - Vulnerability pointed out by: caddis <caddis@DISSENSION.NET> -Affects: FreeBSD 3.x (all releases), FreeBSD 4.0-RELEASE, - FreeBSD 4.0-STABLE prior to the correction date -Corrected: 2000/07/20 (FreeBSD 4.0-STABLE) - 2000/10/04 (FreeBSD 3.5.1-STABLE) -FreeBSD only: NO - -I. Background - -ch{fn,pass,sh} are utilities for changing user "finger" information, -passwords, and login shell, respectively. The yp* variants perform the -analogous changes on a NIS account. - -II. Problem Description - -A "format string vulnerability" was discovered in code used by the -vipw utility during an internal FreeBSD code audit in July 2000. The -vipw utility does not run with increased privileges and so it was -believed at the time that it did not represent a security -vulnerability. However it was not realised that this code is also -shared with other utilities -- namely chfn, chpass, chsh, ypchfn, -ypchpass, ypchsh and passwd -- which do in fact run setuid root. - -Therefore, the problem may be exploited by unprivileged local users to -gain root access to the local machine. - -All versions of FreeBSD prior to the correction date including 4.0 and -3.5.1 are vulnerable to this problem, but it was fixed in the 4.x -branch prior to the release of FreeBSD 4.1. - -III. Impact - -Local users can obtain root privileges on the local machine. - -IV. Workaround - -Remove the setuid bit on the following utilities. This has the -side-effect that non-root users cannot change their finger -information, passwords, or login shells. - -# chflags noschg /usr/bin/chfn /usr/bin/chpass /usr/bin/chsh -# chmod u-s /usr/bin/chfn /usr/bin/chpass /usr/bin/chsh -# chflags noschg /usr/bin/ypchfn /usr/bin/ypchpass /usr/bin/ypchsh -# chmod u-s /usr/bin/ypchfn /usr/bin/ypchpass /usr/bin/ypchsh -# chflags noschg /usr/bin/passwd -# chmod u-s /usr/bin/passwd - -V. Solution - -One of the following: - -1) Upgrade your vulnerable FreeBSD system to 4.1-RELEASE, -4.1.1-RELEASE, 4.1.1-STABLE or 3.5.1-STABLE after the respective -correction dates. - -2) Apply the patch below and recompile the respective files: - -Either save this advisory to a file, or download the patch and -detached PGP signature from the following locations, and verify the -signature using your PGP utility. - -ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:58/vipw.patch -ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:58/vipw.patch.asc - -Execute the following commands as root: - -# cd /usr/src/usr.sbin/vipw -# patch -p < /path/to/patch_or_advisory -# make depend && make all install -# cd /usr/src/usr.bin/chpass/ -# make depend && make all install -# cd /usr/src/usr.bin/passwd/ -# make depend && make all install - -Patch for vulnerable systems: - - --- pw_util.c 1999/08/28 01:20:31 1.17 - +++ pw_util.c 2000/07/12 00:49:40 1.18 - @@ -250,7 +250,7 @@ - extern int _use_yp; - #endif /* YP */ - if (err) - - warn(name); - + warn("%s", name); - #ifdef YP - if (_use_yp) - warnx("NIS information unchanged"); - - ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.0.4 (FreeBSD) -Comment: For info see http://www.gnupg.org - -iQCVAwUBOf3/FFUuHi5z0oilAQEAhAQApmUnWU8Se8V6rAsy98jJLBXp11mmCnaB -lVPve0SjOEhTjYVOfLEslDIPECP1WNrO3Ep/FiczhoTVrMBzWjh74XIGaiDbRxEy -UDWh/cQhAaEmy/KPwraoPas6T2lsJ9brBu5LycKQj/F2SMYCNQOQ3UK4rmXqmf+z -jAqmmerfaPo= -=YNNN ------END PGP SIGNATURE----- |