------------------------------------------------------------------------------------ DilAurDimag - Advisory #07 - 20/12/04 ------------------------------------------------------------------------------------ Program: ChangePassword, a YP/Samba/Squid password-changing tool Homepage: http://changepassword.sourceforge.net/ Operating System: Linux and Unix-Compatible Vulnerable Versions: changepassword-0.8 and prior Risk: High Impact: Locally Exploitable Vulnerability ------------------------------------------------------------------------------------ - DESCRIPTION ------------------------------------------------------------------------------------ ChangePassword, a YP/Samba/Squid password-changing tool Local vulnerability ------------------------------------------------------------------------------------ - DETAILS ------------------------------------------------------------------------------------ If changepassword.cgi is installed on a multiuser computer, any user with an account on the computer can seize control of the computer. He can read and modify every user's files, watch all programs running, etc. (The attack doesn't work on Linux systems where /bin/sh drops setuid, but changepassword.cgi itself doesn't work on those systems.) Here's the bug: Line 317 of changepassword.c, without cleaning its environment in any way, calls system("cd /var/yp && make &> /dev/null"); the Makefile arranges for changepassword.cgi to be setuid root (mode 4755). A user can set $PATH to point to his own make program, set $CONTENT_LENGTH to 512, set $REQUEST_METHOD to POST, and feed form_user=u&form_pw=p&form_new1=x&form_new2=x& to changepassword.cgi, where u is his username and p is his password. The user's make program then runs with root privileges. ------------------------------------------------------------------------------------ Greetz : moo security team, VoidBlank, r!sc ------------------------------------------------------------------------------------