From: Trevor Linton
Subject: SunOS exploit.
On sunos, if you execute a clean bash shell then type, export USER="root"
then USER=$LOGNAME, then execute chsh root or chfn root you can change
the root information.
Why?
Well first off chsh and chfn are +s'ed. This is a bad idea in the first
Place, Second off chsh and chfn use the function getenv("USER") most
programs bother to use this instead of geteuid(); getenv("USER") reports
that the user is root (while geteuid(); would report the real userid) and
then since chsh and or chfn is +s'ed it'll change root's shell user
information or ANYONE on the system's information!
On the SunOS system i have i've been able to lock out ANYONES shell
using this exploit and locking out root's shell as well as changing
anyones NAME info in /etc/passwd etc.. etc.. any program that uses
getenv("USER") is vunerable (that's in bash). tcsh and some other
shells i remember don't allow USER and LOGNAME modifying. :\
Anyways here's a rough patch:
1) -s the programs that use getenv(); such as chsh and chfn
2) remove getenv() and replace it with geteuid();
3) possibly get the programmers of bash to fix it so USER and
LOGNAME can't be modified unless it's super-user.
I'm sure theres a way to get root from this exploit butta.. :) oh well.
=-=
From: "Christopher X. Candreva"
Subject: Re: SunOS exploit.
> On sunos, if you execute a clean bash shell then type, export USER="root"
> then USER=$LOGNAME, then execute chsh root or chfn root you can change
> the root information.
I was unable to duplicate this on SunOS 4.1.3, using bash 2.00.0(1)
/usr/bin/passwd (which chsh and chfn are links to) however are not
original, so possibly some security patch fixed this already.
=-=
From: Jeff Uphoff
Subject: Re: SunOS exploit.
TL> On sunos, if you execute a clean bash shell then type, export USER="root"
TL> then USER=$LOGNAME, then execute chsh root or chfn root you can change
TL> the root information.
TL> On the SunOS system i have [...]
What version(s) of SunOS?
I just tried this on an old 4.1.2 system I have and I could not
duplicate it.
|