From djb@cr.yp.to Wed Dec 15 14:22:35 2004 Date: 15 Dec 2004 08:27:47 -0000 From: D. J. Bernstein To: securesoftware@list.cr.yp.to, vinicius@opentech.inf.br Subject: [local] [control] ChangePassword 0.8 runs setuid shell Ariel Berkman, a student in my Fall 2004 UNIX Security Holes course, has discovered a locally exploitable security hole in ChangePassword, a YP/Samba/Squid password-changing tool. I'm publishing this notice, but all the discovery credits should be assigned to Berkman. If changepassword.cgi is installed on a multiuser computer, any user with an account on the computer can seize control of the computer. He can read and modify every user's files, watch all programs running, etc. (The attack doesn't work on Linux systems where /bin/sh drops setuid, but changepassword.cgi itself doesn't work on those systems.) Here's the bug: Line 317 of changepassword.c, without cleaning its environment in any way, calls system("cd /var/yp && make &> /dev/null"); the Makefile arranges for changepassword.cgi to be setuid root (mode 4755). A user can set $PATH to point to his own make program, set $CONTENT_LENGTH to 512, set $REQUEST_METHOD to POST, and feed form_user=u&form_pw=p&form_new1=x&form_new2=x& to changepassword.cgi, where u is his username and p is his password. The user's make program then runs with root privileges. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago P.S. Berkman comments that there are several buffer overflows in main(), but that exploiting these buffer overflows isn't trivial since main() never returns.