======================================================================= Network Associates, Inc. SECURITY ADVISORY #28 August 3, 1998 Vulnerability in OpenBSD 2.3 chpass(1) ======================================================================= SYNOPSIS Due to an implementation problem involving file descriptor leakage across processes, it is possible to exploit the "chpass" command to gain superuser privileges on OpenBSD 2.3. ======================================================================= AFFECTED SYSTEMS This vulnerability has been confirmed against OpenBSD 2.3 (and below). No other operating systems are currently known to be vulnerable to this problem. ======================================================================= DETAILS The "chpass" command allows unprivileged users to edit database information associated with their account. Chpass assembles a collection of information that can be edited in a file, allows the user to modify it with the editor of their choice, and then commits the modified information back to the password database. Chpass is an SUID program. It functions by creating a temporary copy of the password database, spawning an editor to display and modify user account information, and then committing the information into the temporary password file copy, which is then used to rebuild the password database. In OpenBSD 2.3, an implementation flaw causes the temporary password file copy to become accessible to the spawned editor process and its children. An attacker can use this access to modify the information in the temporary copy. The tainted copy is used to rebuild the password database, allowing the attacker to modify "root"'s account information and gain superuser access. ======================================================================= TECHNICAL DETAILS This problem exists due to file descriptor leakage between the "chpass" program, which is a security-critical SUID program, and the user's editor program. Because the file descriptor corresponding to the temporary password file copy is not closed after the editor is executed, the editor program (and its descendants) have write access to it. Unix programs spawn other programs by executing two system calls, fork() and execve(). The fork() system call creates a copy of the calling process, and the execve() call loads and runs an executable program into the new process. Because fork()'d copies of process maintain all the open file descriptors of their parents, care must be taken to ensure that sensitive files are closed before programs are executed in them. To simplify the task of ensuring that file descriptors aren't leaked to descendant processes, Unix systems support the "close-on-exec" flag, which, when applied to a file descriptor, forces the operating system to close the descriptor when the execve() system call is executed. OpenBSD 2.3 does not utilize this functionality to safeguard the password file copy. The password file copy is not meant to be written to before the user's editor closes. After the user is finished editing their account information, the original password file is copied over into the temporary file, overwriting its contents. Thus, attackers cannot simply write information into the temporary file with shell commands. There are two simple ways to work around this problem. First, an attacker can write a program which continually writes information to the beginning of the temporary file, overwriting the information copied in from the original password file. Secondly, an attacker can write information past the end of the original password file, allowing new accounts (with superuser privileges) to be created. ======================================================================= RESOLUTION This problem has been resolved in OpenBSD-current, and a source code patch is available at the OpenBSD website at: ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.3/common/chpass.patch The OpenBSD patch applies the close-on-exec flag to files opened by chpass(), preventing them from being accessible to the user's editor. ======================================================================= CREDITS Documentation and testing of this problem was conducted by Oliver Friedrichs at the security labs of Network Associates. Thanks to Theo de Raadt and the OpenBSD project for prompt attention to this problem. ======================================================================= ABOUT THE NETWORK ASSOCIATES SECURITY LABS The Security Labs at Network Associates hosts some of the most important research in computer security today. With over 27 published security advisories published in the last 2 years, the Network Associates security auditing teams have been responsible for the discovery of many of the Internet's most serious security flaws. This advisory represents our ongoing commitment to provide critical information to the security community. For more information about the Security Labs at Network Associates, see our website at http://www.nai.com or contact us at <seclabs@nai.com>. The Security Labs at Network Associates are a participating member of FIRST, the Forum for Incident Response Teams. For more information about FIRST, see http://www.first.org. ======================================================================= ABOUT OPENBSD OpenBSD is one of the industry's most secure operating systems. Based on the widely used and respected 4.4BSD Unix platform, OpenBSD is freely available and supports 9 different hardware platforms, including Intel i386 and DEC Alpha architectures. The security labs at Network Associates have been involved with OpenBSD's ongoing security audit, a ground-breaking computer security effort, since its inception. More information about OpenBSD can be obtained at the OpenBSD website, at http://www.openbsd.org. ======================================================================= NETWORK ASSOCIATES SECURITY LABS PGP KEY -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 5.5.5 mQGiBDXGgDsRBADVOnID6BtEhKlm2cNalho28YP0JAh+J4iRUIaiWshzI0tc0KPc fvs+0xYwiqjxmeHi2sdIEPQ7S+ltA3Dlp6/DFojWBr2XB9hfWy4uiKBUHqnsKYnB Gpkh6nIx7DIwn+u0PXMXbJCG3LYf8daiPVdzC2VFtbRvJL4wZc6NLQViFQCg/9uS DuH/0NE6mO8Cu4iVrUT5Wk8D/ArOpV5T5yIuXHZO1/ZBVeHccVVvHe8wHK4D9WUs FsB8fgYLNgdFMMjtam7QQSBY/P1KKBzaFqZhkfS4WVMAFEy94NHXG+KTCPhXkZzp OPPqwWqZgfvOg0Bm20O/GhzQkB6JfFJqcfR87Ej0+fcDKrTTxAELWHGS7c9Qdn6P bfwHA/4oLNwYrtgWNkjGcG018Pu2jKT7YuP9zBTMu28IBiWdPLGL9Wle4d5cdDVx Es4iVl8FMtxlgTWCgMnBLS4nyM3pCn1HF+8Gi+IVKUXWCkqt/rtBMsrOMfrOgEIu BWnTZcTR7kcWtH7xDFNyZ47U4pElLXwATVDty/FczAJnpeht2LQyTmV0d29yayBB c3NvY2lhdGVzIFNlY3VyaXR5IExhYnMgPHNlY2xhYnNAbmFpLmNvbT6JAEsEEBEC AAsFAjXGgDsECwMCAQAKCRCheCy6j9WBEtgDAKDpYMwQZP0Ipx7X0ivnTxxJkA/W vACg4LZv0lmWqmnd7XCe4OIJ05aT6hK5Ag0ENcaAOxAIAPZCV7cIfwgXcqK61qlC 8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh 01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscB qtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFst jvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISn CnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVeky CzsAAgIH/RZcJoRkhCf9O4Er+rciBNG3QqM3tek23oxGuVwqRxtGlGKuf+YaUDIA vZhARftupZYJf/+AM9pyjjsF7ON/Df5oIXXhqzrDySw47dNB3I1FG7vwAUBRfYgG NRP+zvf1nld+FgAXag1DIQteXYPtoMUJP8ZgvbELYVdZS2TapOHUv7r4rOY+UUjl U+FkQPp9KCNreaNux4NxwT3tzXl1KqqkliC8sYxvMCkJ+JO71TKGplO9dXsf3O8p 2r33+LngmLs4O7inrUlmAUKq3jmCK50J7RsZjd6PlK/0JwcjFkOZeYrxTguZzCR4 QYmo8nEHqEMSKQci0VUf9KH4lHf6xmGJAEYEGBECAAYFAjXGgDsACgkQoXgsuo/V gRK5LACgoAqLFk10kAMu6xb3ftO4+INJs14Ani+1hujlYRxYphN97c5ci8WtILNZ =L3C6 -----END PGP PUBLIC KEY BLOCK-----