COMMAND
/usr/tcb/bin/dxchpwd
SYSTEMS AFFECTED
DIGITAL UNIX (OSF/1) v3.x, possibly 4.x?
PROBLEM
The dxchpwd is installed as part of the C2 security package. The
dxchpwd can be used to overwrite any file, or create a file
anywhere on the system causing a possible denial of service and
possibly lead to root access.
Background: dxchpwd is part of the C2 security package and is
setuid root. It's a GUI interface for a users to change their
passwds.
Details: When dxchpwd is run, it creates a log file
/tmp/dxchpwd.log which is root owned and mode 600. If the log
file doesn't exist, it can be symlinked to any existing file, or
new file on the system. New files are created root owned, mode
600. Existing files retain their permissions and ownership, but
their contents are overwritten. If a user then attempts to change
a passwd, a message similar to the following is written to the
log file:
Unknown SIA Prompt: (* Permission denied.
*) rendition 6
In this case, if /.rhosts were symlinked to /tmp/dxchpwd.log,
then a host known as Unknown could possibly gain root access.
Example:
$ ls -l /usr/tcb/bin/dxchpwd
-rwsr-xr-x 1 root bin 49152 Jul 25 1995 /usr/tcb/bin/dxchpwd
$ ls -l /tmp/dxchpwd.log
/tmp/dxchpwd.log not found
$ export DISPLAY=:0 (or a remotehost)
$ ln -s /hackfile /tmp/dxchpwd
$ ls -l /hackfile
/hackfile not found
$ /usr/tcb/bin/dxchpwd
(The dxchpwd window will appear. Just enter root for username and
anything for the passwd. You'll get a permission denied message
and the window will close.)
$ ls -l /hackfile
-rw------- 1 root system 0 Nov 16 22:44 /hackfile
SOLUTION
Make sure /tmp/dxchpwd.log exists, which is root owned and at
least mode 600 until a patch is available. Of course, the setuid
bit could be removed, but then users couldn't use it to change
their passwds. There is a patch for this bug. Just contact your
local DEC support and they will give it to ya.