OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: numerous free/paid account systems are vulnerable to privledgeselevation attacks
From: Bernhard Rosenkraenzer (beroREDHAT.DE)
Date: Fri Nov 10 2000 - 12:45:44 CST

On Fri, 10 Nov 2000, Michal Zalewski wrote:

> This problem is not related to any specific product or solution, but
> affects pretty huge part of the ISP installations. The problem is a direct
> effect of the default account creation policy launched by OpenBSD, RedHat,
> and some other vendors, where every user has it's own, corresponding gid.

If the standard system tools are used in the scripts mentioned in the
description, Red Hat Linux is not vulnerable because it checks for this
behavior.

[rootbero /root]# adduser kmem
adduser: group kmem exists - if you want to add this user to that group, use -g.

Here's the patch to (linux) shadow-utils we're using:

--- shadow-19990827/src/useradd.c.group Wed Jan 19 17:40:48 2000
+++ shadow-19990827/src/useradd.c Wed Jan 19 17:42:04 2000
-1929,6 +1929,19
         }

         /*
+ * Don't blindly add a user to a group that already exists...
+ * If you already have a group username, and want to add the user
+ * to that group, use useradd -g username username.
+ * --bero
+ */
+ if (! (nflg || gflg)) {
+ if (getgrnam(user_name)) {
+ fprintf(stderr, _("%s: group %s exists - if you want to add this user to that group, use -g.\n"), Prog, user_name);
+ exit(E_NAME_IN_USE);
+ }
+ }
+
+ /*
          * Do the hard stuff - open the files, create the user entries,
          * create the home directory, then close and update the files.
          */