Desription:
unauthorized write access to /etc directory using chfn/chsh commands in FreeBSD
5.0-CURRENT.
Contributing factors:
In FreeBSD 5.0, it is possible to fill up the whole partition by using chfn/chsh
commands. Normally, users have quotas set up on directories that are allowed to be
written for them, e.g. home directory, /tmp, /var/tmp, etc.
Let's say, a user has quotas set up this way:
% quota -u rado
Disk quotas for user rado (uid 1001):
Filesystem usage quota limit grace files quota limit grace
/home 66760 500000 550000 3481 0 0
/tmp 135193 260000 280000 5417 0 0
...
There's normally no need to set up quotas for other partitions (such as /, /usr, ...)
because ordinary users have no permissions to write/change the files in that
directories, e.g. in / or /etc.
Symptoms:
Our experience with the chsh/chfn commands shows that when a user changes his/her
finger information/shell, these commands invoke vi editor with a temporary file stored
in /tmp. Imagine that a user's quota exceeded his/her limit for /tmp. Our ordinary
user did this by filling up /tmp partition with many large files. chfn/chsh commands
then stored their temporary files in /etc directory with given user's permissions,
e.g.:
% id happy
uid=2006(happy) gid=58(st1999) groups=58(st1999)
% quota -u happy
...
/tmp 21995* 20000 22000 7days 6 0 0
...
(We can see that the disk quota exceeded in /tmp for user happy)
% ls -ld /etc
drwxr-xr-x 20 root wheel 22016 Aug 1 19:22 /etc
% ls -l /etc | grep happy
-rw------- 1 happy st1999 157278362 Aug 1 19:19 pw.BEMwxq
-rw------- 1 happy st1999 154 Aug 1 19:22 pw.KxGCF3
-rw------- 1 happy st1999 157278362 Aug 1 19:19 pw.iW7Pmt
-rw------- 1 happy st1999 157278362 Aug 1 19:20 pw.rhJq0s
-rw------- 1 happy st1999 157278374 Aug 1 19:16 pw.tpPLK4
Now it is possible for such a user to fill up the root partition without having a
permission set on /, e.g. with
% cat /dev/zero >> /etc/pw.KxGCF3
Workaround:
Our workaround is to either set up a quotas for a root partition or disable chsh/chfn
commands.
Important Notices:
1. chpass, ypchpass, ypchfn, and ypchsh commands seem to be also affected by the
symptoms described above because they are just hard links... :)
2. When experimenting with a chpass command, it caused a segmentation fault when used
with -a argument because of a NULL pointer comparation in chpass.c, line 169:
(no getpw* (3) library call invoked!!!)
if ((pw->pw_fields & _PWF_SOURCE) == _PWF_NIS)
% id happy
uid=2006(happy) gid=58(st1999) groups=58(st1999)
% chpass -a qqqqq
Segmentation fault
chpass doesn't seem to be locally exploitable. Some changes to a source code are
needed for normal operation.
Credits:
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
--
--------------
bye
R.R.K.K.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
