From owner-freebsd-hackers  Wed Sep  5  1:23:51 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from tarakan-network.com (chojin.adsl.nerim.net [62.4.22.98])
	by hub.freebsd.org (Postfix) with ESMTP
	id 586E937B406; Wed,  5 Sep 2001 01:23:41 -0700 (PDT)
Received: from chojin (Cho@chojin.lan.tarakan-network.com [192.168.69.2] (may be forged))
	by tarakan-network.com (8.11.6/8.11.3) with SMTP id f858Nej92835;
	Wed, 5 Sep 2001 10:23:41 +0200 (CEST)
	(envelope-from freebsd@tarakan-network.com)
Message-ID: <010e01c135e4$1ea267a0$0245a8c0@chojin>
From: "Chojin" <freebsd@tarakan-network.com>
To: <security-advisories@FreeBSD.ORG>, <freebsd-hackers@FreeBSD.ORG>
References: <200109041949.f84JnJs36681@freefall.freebsd.org>
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:59.rmuser
Date: Wed, 5 Sep 2001 10:23:57 +0200
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2526.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2526.0000
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

When I apply the patch :
[ /usr/src/usr.sbin/adduser]$patch -p < /home/chojin/patch/rmuser.patch
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Index: rmuser.perl
|===================================================================
|RCS file: /usr2/ncvs/src/usr.sbin/adduser/rmuser.perl,v
|retrieving revision 1.8.2.4
|retrieving revision 1.8.2.5
|diff -u -r1.8.2.4 -r1.8.2.5
|--- rmuser.perl        2001/05/25 15:05:00     1.8.2.4
|+++ rmuser.perl        2001/07/28 12:10:15     1.8.2.5
--------------------------
Patching file rmuser.perl using Plan A...
Hunk #1 failed at 42.
Hunk #2 failed at 311.
Hunk #3 failed at 340.
Hunk #4 failed at 350.
4 out of 4 hunks failed--saving rejects to rmuser.perl.rej
done


----- Original Message -----
From: "FreeBSD Security Advisories" <security-advisories@FreeBSD.ORG>
To: "FreeBSD Security Advisories" <security-advisories@FreeBSD.ORG>
Sent: Tuesday, September 04, 2001 9:49 PM
Subject: FreeBSD Security Advisory FreeBSD-SA-01:59.rmuser


> -----BEGIN PGP SIGNED MESSAGE-----
>
>
============================================================================
=
> FreeBSD-SA-01:59                                           Security
Advisory
>                                                                 FreeBSD,
Inc.
>
> Topic:          rmuser contains a race condition exposing
/etc/master.passwd
>
> Category:       core
> Module:         rmuser
> Announced:      2001-09-04
> Credits: dynamo@harvard.net
> Affects:        FreeBSD 4.2-RELEASE, 4.3-RELEASE
>                 FreeBSD 4.3-STABLE prior to the correction date.
> Corrected:      2001-07-28 12:10:15 UTC (4.3-STABLE)
>                 2001-09-04 07:46:57 UTC (RELENG_4_3)
> FreeBSD only:   Yes
>
> I.   Background
>
> rmuser is a perl script used to completely remove users from a system.
>
> II.  Problem Description
>
> When removing a user from the system with the rmuser utility, the
> /etc/master.passwd file and it's corresponding database /etc/spwd.db
> must be updated.  The rmuser script was incorrectly doing this by
> creating a new master.passwd file with an unsafe umask and then using
> chmod to set its permissions to 0600.  Between the time that the file
> was created and the time that its permissions were changed the file is
> world-readable.
>
> This is only a minor security vulnerability since the rmuser command
> is only used infrequently on most systems, and the attack is highly
> timing-dependent.
>
> All versions of FreeBSD prior to the correction date including FreeBSD
> 4.3 contain this problem.  The base system that will ship with FreeBSD
> 4.4 does not contain this problem since it was corrected prior to the
> release.
>
> III. Impact
>
> For a brief amount of time while running rmuser, a world-readable copy
> of /etc/master.passwd is available.  A local attacker who reads this
> file can extract password hashes from the copy of /etc/master.passwd.
> This information could be used by attackers to escalate their
> privileges, possibly yielding root privileges on the local system, by
> mounting an offline dictionary attack in order to guess the plaintext
> passwords of the accounts on the local system.
>
> IV. Workaround
>
> Use the pw(8) utility to remove users instead of rmuser.
>
>     - "pw userdel <username>" will only remove the user from
>       /etc/passwd, /etc/master.passwd and /etc/group
>     - "pw -r userdel <username>" will also remove the user's home
>       dirrectory
>
> V. Solution
>
> 1) Upgrade your vulnerable system to 4.3-STABLE or the RELENG_4_3
> security branch, dated after the respective correction dates.
>
> 2) To patch your present system: download the relevant patch from the
> below location, and execute the following commands as root:
>
> # fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:59/rmuser.patch
> # fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:59/rmuser.patch.asc
>
> Verify the detached PGP signature using your PGP utility.
>
> This patch has been verified to apply to FreeBSD 4.2-RELEASE and
> 4.3-RELEASE.  It may or may not apply to older, unsupported releases
> of FreeBSD.
>
> # cd /usr/src/usr.sbin/adduser
> # patch -p < /path/to/patch
> # make depend && make all install
>
> 3) FreeBSD 4.3-RELEASE systems:
>
> An experimental upgrade package is available for users who wish to
> provide testing and feedback on the binary upgrade process.  This
> package may be installed on FreeBSD 4.3-RELEASE systems only, and is
> intended for use on systems for which source patching is not practical
> or convenient.
>
> If you use the upgrade package, feedback (positive or negative) to
> security-officer@FreeBSD.org is requested so we can improve the
> process for future advisories.
>
> During the installation procedure, backup copies are made of the files
> which are replaced by the package.  These backup copies will be
> reinstalled if the package is removed, reverting the system to a
> pre-patched state.
>
> # fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:59/security-patch-rmus
er-01.59.tgz
> # fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:59/security-patch-rmus
er-01.59.tgz.asc
>
> Verify the detached PGP signature using your PGP utility.
>
> # pkg_add security-patch-rmuser-01.59.tgz
>
> VI.  CVS Revisions
>
> The following $FreeBSD$ CVS revision contain the fixes for this
> vulnerability.  The $FreeBSD$ revision of installed sources can be
> examined using the ident(1) command.  These revision IDs are not
> updated by applying the patch referenced above.
>
> [FreeBSD 4.3-STABLE]
>
>   Revision      Path
>   1.8.2.5       src/usr.sbin/rmuser.perl
>
> [RELENG_4_3]
>
>   Revision      Path
>   1.8.2.2.2.1   src/usr.sbin/rmuser.perl
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (FreeBSD)
> Comment: For info see http://www.gnupg.org
>
> iQCVAwUBO5SH1lUuHi5z0oilAQEWLAQAniPWZpgjNvhoT6ECltW4G9lKlsswDur9
> WMKkX2KEvZ9pswx3rqkn1IC+kBTfgdwwhU/54dyx1HKb2XJH5QdGpW/H/niTox4z
> ImJjctZNvnEuB52si1+Ivx3avwgw57YjAsJgLcv+CYYW+iizX1zVFBjdce6PDQgI
> pb50qM0sJYA=
> =hxQ5
> -----END PGP SIGNATURE-----
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message