Sun (Solaris) passwd(1) Command Vulnerability (root exploit)

CIAC ^ | March 2, 2004 | CIAC/Sun Microsystems

[general_re]

O-088: Sun passwd(1) Command Vulnerability
[Sun Alert ID: 57454]
March 2, 2004 22:00 GMT

PROBLEM: The passwd command computes the hash of a password typed at run-time or the hash of each password in a list. A vulnerability exists in this command.

PLATFORM: Solaris 8, 9 (SPARC and x86 Platforms)

DAMAGE: A local unprivileged user may be able to gain unauthorized root privileges due to a security issue involving the passwd(1) command.

SOLUTION: Install the security patch.

VULNERABILITY ASSESSMENT: The risk is MEDIUM. A local unprivileged user may be able to gain unauthorized root privileges.

LINKS:

CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-088.shtml
ORIGINAL BULLETIN: Sun Alert ID: 57454 http://www.sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57454&zone_32=category%3Asecurity

[***** Start Sun Alert ID: 57454 *****]

Sun(sm) Alert Notification Sun Alert ID: 57454
Synopsis: Security Vulnerability Involving the passwd(1) Command
Category: Security
Product: Solaris
BugIDs: 4793719
Avoidance: Patch
State: Resolved
Date Released: 26-Feb-2004
Date Closed: 26-Feb-2004
Date Modified:

1. Impact

A local unprivileged user may be able to gain unauthorized root privileges due to a security issue involving the passwd(1) command.

Sun acknowledges, with thanks, Tim Wort (Tim.Wort@InklingResearch.com) for contacting us regarding this issue.

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform

Solaris 8 with patch 108993-14 through 108993-31 and without patch 108993-32
Solaris 9 without patch 113476-11

x86 Platform

Solaris 8 with patch 108994-14 through 108994-31 and without patch 108994-32
Solaris 9 without patch 114242-07

Note: Solaris 7 is not affected by this issue.

3. Symptoms

There are no reliable symptoms that would show the described issue has been exploited to gain unauthorized elevated privileges to a host.

4. Relief/Workaround

There is no workaround for this issue.

[EggsAckley]

Huh?

[general_re]

I guess you're not running a Sun box ;)

[An.American.Expatriate]

VULNERABILITY ASSESSMENT: The risk is MEDIUM. A local unprivileged user may be able to gain unauthorized root privileges.

This is MEDIUM ??

[sirshackleton]

Thanks for posting this...I'll get right to work on the old girl....

[Salgak]

Let's put it in words even a 'rat can understand. passwd is the Unix command for changing passwords. If there's an exploit of passwd, that means a user can theoretically attain "root" status, which, to the non-Unix user, means you control the machine completely. 733t 4Ax0r d00dz getting root on your box is NOT a good thing. root has all the power of Administrator and System accounts on Windows, and more. . .

[general_re]

I think they reserve "high" for exploits that can be done remotely. In and of itself, this one can't be done non-locally - you'd need a second hole in a second program, one that accepts remote input, to be able to exploit it remotely.

[Fiddlstix]

Bump

[js1138]

Anyone with a Mac OSX disk can reset the password on any Mac.

[blastdad51]

Sounds like this could be series, very series.....

[r9etb]

If and when MS is no longer running the vast majority of machines, this sort of vulnerability report will become more and more common. The vulnerabilities already exist, of course, it's just that few hackers are spending any effort to find them; and, when hackers do cause problems on something like a Sun system, the pool of people affected is small and isolated, so it never makes the news.

I'm often amused by how anti-MS crowd reacts in cases like this -- they greet each security hole as yet further proof of Bill Gates's incompetence (and evilness). Their jihadist glee is actually fun to observe....

[general_re]

What do you do, boot from the CD and get prompted for a new password?

[antiRepublicrat]

Anyone with a Mac OSX disk can reset the password on any Mac.

I can do it on Windows too. In common running situations, there is no way from keeping someone with physical access from owning a computer.

[antiRepublicrat]

I'm often amused by how anti-MS crowd reacts in cases like this -- they greet each security hole as yet further proof of Bill Gates's incompetence

It's just that a lot of Windows security holes are wide-open remote exploits, while *NIX ones tend to be local exploits. I'd expect the number of Windows remote exploits to go down after XP SP2 if Microsoft's rewritten the RPC system as much as it said it has. Even better if you run it on one of the new AMD processors that protect against buffer overflows.

[general_re]

I try to be an equal-opportunity offender, when possible - I've posted articles on flaws in OS X, Linux, Windows, and now Solaris. Obviously, not all holes are equal, but root access is serious no matter who your favorite racehorse happens to be, and all systems are potentially vulnerable, at least until someone figures out how to guarantee 100% bug-free operating systems. And once those exist, then you have to make sure that all the other code that runs is 100% bug-free, too, or you wind up with this sort of thing ;)

[js1138]

Your door locks can be picked also, but the locksmith who installed them didn't give the same keys to everyone in town.

The difficulty of hacking into a computer is relative to how much effort went into security. You can easily password the bios and clip off the override jumper pins (or lock the case). That adds a bit of security. The file system can also be encrypted.

So the question is, cn you break in without being detected.

[proxy_user]

Does this vulnerability affect those who authenticate through Keon?

[general_re]

I'm not particularly familiar with Keon - never needed to be - so I couldn't begin to give you much more than an educated guess. I'm always happy to provide those, though - I would guess it's not affected, but for a definitive answer you're probably safer consulting someone who's a bit more up-to-speed on Keon than me ;)

[Salgak]

. . .as can anyone with a UNIX install or boot disk. . .

Boot to single-user mode, delete /etc/shadow, the passwd root. . .

Then again, since Mac OSX **IS** Unix. . .