Vigil@nce - Unix: file reading via via chsh or chfn
February 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can use chsh or chfn, in order to read protected
files, which contain a known line.
Severity: 2/4
Creation date: 09/02/2012
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The chsh and chfn suid root programs can be called by users
wishing to change their default shell or their full name. For
example:
$ chsh
Password: [the user enters his password]
Enter your new shell: [enter "hello"]
Error: the shell "hello" is not valid
So, if the user enters his password, and then an error, this error
is displayed by chsh.
If a local attacker knows the first line of a file, he can change
his password to match this line. Then, by duplicating the standard
input (stdin) of chsh to the file, the second line of the file
will be displayed in the error message.
If the attacker for example knows the fourth line, the three first
lines will by treated as bad passwords, and the attacker will read
the fifth line. The attacker can then change his password to this
fifth line, so he will read the sixth line. By repeating this
operation, the attacker can therefore read lines located after a
known line (if his account is not locked after entering too many
bad passwords).
This attack cannot be used to read /etc/shadow, because the
attacker does not know a line in this file (his line contains a
salt).
On systems where chsh/chfn does not request a password, this
attack can be used with no limit.
A local attacker can therefore use chsh or chfn, in order to read
protected files, which contain a known line.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Unix-file-reading-via-via-chsh-or-chfn-11348