Date: Wed, 5 Sep 2001 10:23:57 +0200 From: "Chojin" <freebsd@tarakan-network.com> To: <security-advisories@FreeBSD.ORG>, <freebsd-hackers@FreeBSD.ORG> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:59.rmuser Message-ID: <010e01c135e4$1ea267a0$0245a8c0@chojin> References: <200109041949.f84JnJs36681@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
When I apply the patch : [ /usr/src/usr.sbin/adduser]$patch -p < /home/chojin/patch/rmuser.patch Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: rmuser.perl |=================================================================== |RCS file: /usr2/ncvs/src/usr.sbin/adduser/rmuser.perl,v |retrieving revision 1.8.2.4 |retrieving revision 1.8.2.5 |diff -u -r1.8.2.4 -r1.8.2.5 |--- rmuser.perl 2001/05/25 15:05:00 1.8.2.4 |+++ rmuser.perl 2001/07/28 12:10:15 1.8.2.5 -------------------------- Patching file rmuser.perl using Plan A... Hunk #1 failed at 42. Hunk #2 failed at 311. Hunk #3 failed at 340. Hunk #4 failed at 350. 4 out of 4 hunks failed--saving rejects to rmuser.perl.rej done ----- Original Message ----- From: "FreeBSD Security Advisories" <security-advisories@FreeBSD.ORG> To: "FreeBSD Security Advisories" <security-advisories@FreeBSD.ORG> Sent: Tuesday, September 04, 2001 9:49 PM Subject: FreeBSD Security Advisory FreeBSD-SA-01:59.rmuser > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================ = > FreeBSD-SA-01:59 Security Advisory > FreeBSD, Inc. > > Topic: rmuser contains a race condition exposing /etc/master.passwd > > Category: core > Module: rmuser > Announced: 2001-09-04 > Credits: dynamo@harvard.net > Affects: FreeBSD 4.2-RELEASE, 4.3-RELEASE > FreeBSD 4.3-STABLE prior to the correction date. > Corrected: 2001-07-28 12:10:15 UTC (4.3-STABLE) > 2001-09-04 07:46:57 UTC (RELENG_4_3) > FreeBSD only: Yes > > I. Background > > rmuser is a perl script used to completely remove users from a system. > > II. Problem Description > > When removing a user from the system with the rmuser utility, the > /etc/master.passwd file and it's corresponding database /etc/spwd.db > must be updated. The rmuser script was incorrectly doing this by > creating a new master.passwd file with an unsafe umask and then using > chmod to set its permissions to 0600. Between the time that the file > was created and the time that its permissions were changed the file is > world-readable. > > This is only a minor security vulnerability since the rmuser command > is only used infrequently on most systems, and the attack is highly > timing-dependent. > > All versions of FreeBSD prior to the correction date including FreeBSD > 4.3 contain this problem. The base system that will ship with FreeBSD > 4.4 does not contain this problem since it was corrected prior to the > release. > > III. Impact > > For a brief amount of time while running rmuser, a world-readable copy > of /etc/master.passwd is available. A local attacker who reads this > file can extract password hashes from the copy of /etc/master.passwd. > This information could be used by attackers to escalate their > privileges, possibly yielding root privileges on the local system, by > mounting an offline dictionary attack in order to guess the plaintext > passwords of the accounts on the local system. > > IV. Workaround > > Use the pw(8) utility to remove users instead of rmuser. > > - "pw userdel <username>" will only remove the user from > /etc/passwd, /etc/master.passwd and /etc/group > - "pw -r userdel <username>" will also remove the user's home > dirrectory > > V. Solution > > 1) Upgrade your vulnerable system to 4.3-STABLE or the RELENG_4_3 > security branch, dated after the respective correction dates. > > 2) To patch your present system: download the relevant patch from the > below location, and execute the following commands as root: > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:59/rmuser.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:59/rmuser.patch.asc > > Verify the detached PGP signature using your PGP utility. > > This patch has been verified to apply to FreeBSD 4.2-RELEASE and > 4.3-RELEASE. It may or may not apply to older, unsupported releases > of FreeBSD. > > # cd /usr/src/usr.sbin/adduser > # patch -p < /path/to/patch > # make depend && make all install > > 3) FreeBSD 4.3-RELEASE systems: > > An experimental upgrade package is available for users who wish to > provide testing and feedback on the binary upgrade process. This > package may be installed on FreeBSD 4.3-RELEASE systems only, and is > intended for use on systems for which source patching is not practical > or convenient. > > If you use the upgrade package, feedback (positive or negative) to > security-officer@FreeBSD.org is requested so we can improve the > process for future advisories. > > During the installation procedure, backup copies are made of the files > which are replaced by the package. These backup copies will be > reinstalled if the package is removed, reverting the system to a > pre-patched state. > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:59/security-patch-rmus er-01.59.tgz > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:59/security-patch-rmus er-01.59.tgz.asc > > Verify the detached PGP signature using your PGP utility. > > # pkg_add security-patch-rmuser-01.59.tgz > > VI. CVS Revisions > > The following $FreeBSD$ CVS revision contain the fixes for this > vulnerability. The $FreeBSD$ revision of installed sources can be > examined using the ident(1) command. These revision IDs are not > updated by applying the patch referenced above. > > [FreeBSD 4.3-STABLE] > > Revision Path > 1.8.2.5 src/usr.sbin/rmuser.perl > > [RELENG_4_3] > > Revision Path > 1.8.2.2.2.1 src/usr.sbin/rmuser.perl > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iQCVAwUBO5SH1lUuHi5z0oilAQEWLAQAniPWZpgjNvhoT6ECltW4G9lKlsswDur9 > WMKkX2KEvZ9pswx3rqkn1IC+kBTfgdwwhU/54dyx1HKb2XJH5QdGpW/H/niTox4z > ImJjctZNvnEuB52si1+Ivx3avwgw57YjAsJgLcv+CYYW+iizX1zVFBjdce6PDQgI > pb50qM0sJYA= > =hxQ5 > -----END PGP SIGNATURE----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?010e01c135e4$1ea267a0$0245a8c0>