On Mon, Jul 29, 2002 at 10:51:50AM -0400, Michal Zalewski wrote:
> the administrator will most likely add "rm -f /etc/ptmp" or
> equivalent to his crontab
If he is smart, he will check whether the file is open (eg with
fuser) before removing it. So your attack does require an
administrator mistake.
However! There appears to be an attack that does not require any
administrator action.
> 1. /etc/ptmptmp file is opened with O_WRONLY|O_CREAT, 0644 perms
> 2. the file is linked to /etc/ptmp, exit on failure
> 3. /etc/ptmptmp is removed
>
> Later, the descriptor obtained in step 1 is used for writing to
> construct the new /etc/passwd contents. This is done line by line, by
> calling the fputs() routine. When the new file is ready, three more
> steps are taken:
>
> 4. /etc/passwd.OLD is removed
> 5. /etc/passwd is linked to /etc/passwd.OLD
> 6. /etc/ptmp is renamed to /etc/passwd
chfn 1 chfn 2 chfn 3
open /etc/ptmptmp open /etc/ptmptmp
link -> /etc/ptmp
rm /etc/ptmptmp
fputs() ...
mv -> /etc/passwd
At this point, chfn 2 has a fd open to /etc/passwd.
open /etc/ptmptmp
ln -> /etc/ptmp
rm /etc/ptmptmp
fputs() ...
chfn 2 is now scribbling over /etc/passwd, and may at some point
create an "improved" password entry.
This is based on what Michal wrote; I haven't tested it.
> step 3 ensures that no process will work on the hardlink of
> /etc/passwd after the procedure is completed.
If what Michal wrote is complete, it does not.
Andrew
