Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2002.006 -- FreeBSD-SA-02:02.pw pw(8) race condition may allow disclosure of master.passwd 8 January 2002 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: pw(8) Vendor: FreeBSD Operating System: FreeBSD Impact: Access Privileged Data Access Required: Existing Account - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:02 Security Advisory FreeBSD, Inc. Topic: pw(8) race condition may allow disclosure of master.passwd Category: core Module: pw Announced: 2002-01-04 Credits: ryan beasley <ryanb@goddamnbastard.org> Affects: All releases prior to 4.5-RELEASE, 4.4-STABLE prior to the correction date Corrected: 2001-12-21 15:21:32 UTC (4.4-STABLE aka RELENG_4) 2001-12-21 15:22:55 UTC (4.4-RELEASEp1 aka RELENG_4_4) 2001-12-21 15:23:04 UTC (4.3-RELEASEp21 aka RELENG_4_3) FreeBSD only: YES I. Background The pw(8) utility is used to create, remove, modify, and display system users and groups. II. Problem Description When creating, removing, or modifying system users, the pw utility modifies the system password file `/etc/master.passwd'. This file contains the users' encrypted passwords and is normally only readable by root. During the modification, a temporary copy of the file is created. However, this temporary file is mistakenly created with permissions that allow it to be read by any user. III. Impact A local attacker can read the temporary file created by pw(8) and use the encrypted passwords to conduct an off-line dictionary attack. A successful attack would result in the recovery of one or more passwords. Because the temporary file is short-lived (it is removed almost immediately after creation), this can be difficult to exploit: an attacker must `race' to read the file before it is removed. IV. Workaround 1) Do not use pw(8) to create, remove, or modify system users. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4-STABLE (RELENG_4), the 4.4-RELEASE security-fix branch (RELENG_4_4), or the 4.3-RELEASE security-fix branch (RELENG_4_3), dated after the correction date. 2) FreeBSD 4.x systems prior to the correction date: The following patch has been verified to apply to FreeBSD 4.3-RELEASE, 4.4-RELEASE, and 4-STABLE dated prior to the correction date. This patch may or may not apply to older, unsupported releases of FreeBSD. Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-02:02/pw.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-02:02/pw.patch.asc Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/usr.sbin/pw # make depend && make all install VI. Correction details The following list contains the $FreeBSD$ revision numbers of each file that was corrected in the FreeBSD source Path Revision Branch - - ------------------------------------------------------------------------- src/usr.sbin/pw/pwupd.c HEAD (CURRENT) 1.18 RELENG_4 (4-STABLE) 1.12.2.4 RELENG_4_4 (4.4-RELEASE security branch) 1.12.2.3.4.1 RELENG_4_3 (4.3-RELEASE security branch) 1.12.2.3.2.1 - - ------------------------------------------------------------------------- - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPDZOB1UuHi5z0oilAQE/FQP/UjSXBA+ntiemKMpvgQfHkvNFjT/L9VC6 j1q7yhuM+JKIeQcAiotvEFmnRjZquJaNTvBRa4TSbr9943smZ7w8wC3lzq4aLBSv e4L1F/uIUx19hyeEDL8FEdE5hqiltFJVa605pNoyLtLBQx9UfYkdfZo9SqFtAIdl qNU0wX2XJU0= =g2Uh - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBPDrWYSh9+71yA2DNAQG/wwP+O+OcP+udN24EoWCAlf0dwGlV/9A+zVvZ OxXAJlPaQbg6e3oz8327zTLk8Ll73V4VElnvmTZC9KJbhnrlYlS0emzFCfIOJrv3 d0ev3yY9ZH69WPNRP1JM5yDPMYZcRIuv3wATdoc+Es02QKokxmbqXiJRfo2f++BH 5TjLSGVvbnw= =Rjyl -----END PGP SIGNATURE-----