Network Associates Inc. Advisory (OpenBSD)

Security Research Labs (seclabs@NAI.COM)
Mon, 10 Aug 1998 12:24:25 -0700

=======================================================================

                        Network Associates, Inc.
                          SECURITY ADVISORY #28
                           August 3, 1998

                Vulnerability in OpenBSD 2.3 chpass(1)

=======================================================================

SYNOPSIS

Due to an implementation problem involving file descriptor leakage across
processes, it is possible to exploit the "chpass" command to gain
superuser privileges on OpenBSD 2.3.

=======================================================================

AFFECTED SYSTEMS

This vulnerability has been confirmed against OpenBSD 2.3 (and below). No
other operating systems are currently known to be vulnerable to this
problem.

=======================================================================

DETAILS

The "chpass" command allows unprivileged users to edit database
information associated with their account. Chpass assembles a collection
of information that can be edited in a file, allows the user to modify it
with the editor of their choice, and then commits the modified information
back to the password database.

Chpass is an SUID program. It functions by creating a temporary copy of
the password database, spawning an editor to display and modify user
account information, and then committing the information into the
temporary password file copy, which is then used to rebuild the password
database.

In OpenBSD 2.3, an implementation flaw causes the temporary password file
copy to become accessible to the spawned editor process and its children.
An attacker can use this access to modify the information in the temporary
copy. The tainted copy is used to rebuild the password database, allowing
the attacker to modify "root"'s account information and gain superuser
access.

=======================================================================

TECHNICAL DETAILS

This problem exists due to file descriptor leakage between the "chpass"
program, which is a security-critical SUID program, and the user's editor
program. Because the file descriptor corresponding to the temporary
password file copy is not closed after the editor is executed, the editor
program (and its descendants) have write access to it.

Unix programs spawn other programs by executing two system calls, fork()
and execve(). The fork() system call creates a copy of the calling
process, and the execve() call loads and runs an executable program into
the new process. Because fork()'d copies of process maintain all the open
file descriptors of their parents, care must be taken to ensure that
sensitive files are closed before programs are executed in them.

To simplify the task of ensuring that file descriptors aren't leaked to
descendant processes, Unix systems support the "close-on-exec" flag,
which, when applied to a file descriptor, forces the operating system to
close the descriptor when the execve() system call is executed. OpenBSD
2.3 does not utilize this functionality to safeguard the password file
copy.

The password file copy is not meant to be written to before the user's
editor closes. After the user is finished editing their account
information, the original password file is copied over into the temporary
file, overwriting its contents. Thus, attackers cannot simply write
information into the temporary file with shell commands.

There are two simple ways to work around this problem. First, an attacker
can write a program which continually writes information to the beginning
of the temporary file, overwriting the information copied in from the
original password file. Secondly, an attacker can write information past
the end of the original password file, allowing new accounts (with
superuser privileges) to be created.

=======================================================================

RESOLUTION

This problem has been resolved in OpenBSD-current, and a source code patch
is available at the OpenBSD website at:

        ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.3/common/chpass.patch

The OpenBSD patch applies the close-on-exec flag to files opened by
chpass(), preventing them from being accessible to the user's editor.

=======================================================================

CREDITS

Documentation and testing of this problem was conducted by Oliver
Friedrichs at the security labs of Network Associates. Thanks to Theo
de Raadt and the OpenBSD project for prompt attention to this problem.

=======================================================================

ABOUT THE NETWORK ASSOCIATES SECURITY LABS

The Security Labs at Network Associates hosts some of the most important
research in computer security today. With over 27 published security
advisories published in the last 2 years, the Network Associates security
auditing teams have been responsible for the discovery of many of the
Internet's most serious security flaws. This advisory represents our
ongoing commitment to provide critical information to the security
community.

For more information about the Security Labs at Network Associates,
see our website at http://www.nai.com or contact us at <seclabs@nai.com>.

The Security Labs at Network Associates are a participating member of
FIRST, the Forum for Incident Response Teams. For more information
about FIRST, see http://www.first.org.

=======================================================================

ABOUT OPENBSD

OpenBSD is one of the industry's most secure operating systems. Based
on the widely used and respected 4.4BSD Unix platform, OpenBSD is
freely available and supports 9 different hardware platforms, including
Intel i386 and DEC Alpha architectures. The security labs at Network
Associates have been involved with OpenBSD's ongoing security audit, a
ground-breaking computer security effort, since its inception.

More information about OpenBSD can be obtained at the OpenBSD website,
at http://www.openbsd.org.

=======================================================================

NETWORK ASSOCIATES SECURITY LABS PGP KEY

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 5.5.5

mQGiBDXGgDsRBADVOnID6BtEhKlm2cNalho28YP0JAh+J4iRUIaiWshzI0tc0KPc
fvs+0xYwiqjxmeHi2sdIEPQ7S+ltA3Dlp6/DFojWBr2XB9hfWy4uiKBUHqnsKYnB
Gpkh6nIx7DIwn+u0PXMXbJCG3LYf8daiPVdzC2VFtbRvJL4wZc6NLQViFQCg/9uS
DuH/0NE6mO8Cu4iVrUT5Wk8D/ArOpV5T5yIuXHZO1/ZBVeHccVVvHe8wHK4D9WUs
FsB8fgYLNgdFMMjtam7QQSBY/P1KKBzaFqZhkfS4WVMAFEy94NHXG+KTCPhXkZzp
OPPqwWqZgfvOg0Bm20O/GhzQkB6JfFJqcfR87Ej0+fcDKrTTxAELWHGS7c9Qdn6P
bfwHA/4oLNwYrtgWNkjGcG018Pu2jKT7YuP9zBTMu28IBiWdPLGL9Wle4d5cdDVx
Es4iVl8FMtxlgTWCgMnBLS4nyM3pCn1HF+8Gi+IVKUXWCkqt/rtBMsrOMfrOgEIu
BWnTZcTR7kcWtH7xDFNyZ47U4pElLXwATVDty/FczAJnpeht2LQyTmV0d29yayBB
c3NvY2lhdGVzIFNlY3VyaXR5IExhYnMgPHNlY2xhYnNAbmFpLmNvbT6JAEsEEBEC
AAsFAjXGgDsECwMCAQAKCRCheCy6j9WBEtgDAKDpYMwQZP0Ipx7X0ivnTxxJkA/W
vACg4LZv0lmWqmnd7XCe4OIJ05aT6hK5Ag0ENcaAOxAIAPZCV7cIfwgXcqK61qlC
8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh
01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscB
qtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFst
jvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISn
CnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVeky
CzsAAgIH/RZcJoRkhCf9O4Er+rciBNG3QqM3tek23oxGuVwqRxtGlGKuf+YaUDIA
vZhARftupZYJf/+AM9pyjjsF7ON/Df5oIXXhqzrDySw47dNB3I1FG7vwAUBRfYgG
NRP+zvf1nld+FgAXag1DIQteXYPtoMUJP8ZgvbELYVdZS2TapOHUv7r4rOY+UUjl
U+FkQPp9KCNreaNux4NxwT3tzXl1KqqkliC8sYxvMCkJ+JO71TKGplO9dXsf3O8p
2r33+LngmLs4O7inrUlmAUKq3jmCK50J7RsZjd6PlK/0JwcjFkOZeYrxTguZzCR4
QYmo8nEHqEMSKQci0VUf9KH4lHf6xmGJAEYEGBECAAYFAjXGgDsACgkQoXgsuo/V
gRK5LACgoAqLFk10kAMu6xb3ftO4+INJs14Ani+1hujlYRxYphN97c5ci8WtILNZ
=L3C6
-----END PGP PUBLIC KEY BLOCK-----