Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Andrew Pimlott (andrew_at_pimlott.net)
Date: Tue Jul 30 2002 - 00:35:36 CDT
On Mon, Jul 29, 2002 at 10:51:50AM -0400, Michal Zalewski wrote:
> the administrator will most likely add "rm -f /etc/ptmp" or
> equivalent to his crontab
If he is smart, he will check whether the file is open (eg with
fuser) before removing it. So your attack does require an
However! There appears to be an attack that does not require any
> 1. /etc/ptmptmp file is opened with O_WRONLY|O_CREAT, 0644 perms
> 2. the file is linked to /etc/ptmp, exit on failure
> 3. /etc/ptmptmp is removed
> Later, the descriptor obtained in step 1 is used for writing to
> construct the new /etc/passwd contents. This is done line by line, by
> calling the fputs() routine. When the new file is ready, three more
> steps are taken:
> 4. /etc/passwd.OLD is removed
> 5. /etc/passwd is linked to /etc/passwd.OLD
> 6. /etc/ptmp is renamed to /etc/passwd
chfn 1 chfn 2 chfn 3
open /etc/ptmptmp open /etc/ptmptmp
link -> /etc/ptmp
mv -> /etc/passwd
At this point, chfn 2 has a fd open to /etc/passwd.
ln -> /etc/ptmp
chfn 2 is now scribbling over /etc/passwd, and may at some point
create an "improved" password entry.
This is based on what Michal wrote; I haven't tested it.
> step 3 ensures that no process will work on the hardlink of
> /etc/passwd after the procedure is completed.
If what Michal wrote is complete, it does not.