|Summary:||net-mail/cmd5checkpw is installed setuid, but does not drop euid|
|Product:||Gentoo Security||Reporter:||Florian Westphal <westphal>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description Florian Westphal 2005-01-16 11:34:26 UTC
net-mail/cmd5checkpw is installed setuid cmd5checkpw, but it does not drop privileges before calling execvp(), i.e. the invoked program retains the cmd5checkpw euid. Local users that know at least one valid /etc/poppasswd user/password combination can read the /etc/poppasswd file. Reproducible: Always Steps to Reproduce: 1. emerge net-mail/cmd5checkwp 2. create /etc/poppasswd to contain: user:pass secret:secret 3: $ id uid=1001(fw) gid=100(users) groups=5(tty),10(wheel),16(cron),100(users) $ perl -e 'print("user\0pass\0\pass\0");' > test $ 3<test $ /bin/cmd5checkpw id uid=1001(fw) gid=100(users) euid=1000(cmd5checkpw) [..] Actual Results: user obtains euid=1000(cmd5checkpw). Expected Results: Drop euid before execvp(). If cmd5checkpw really needs to be setuid, it should set its effective uid to that the real uid of the calling process. I'll add a patch to do this, but i'd prefer cmd5checkpw to not be setuid (this might break things though)
Comment 1 Florian Westphal 2005-01-16 11:37:10 UTC
Created attachment 48674 [details, diff] cmd5checkpw: set euid to uid of calling user
Comment 2 Thierry Carrez (RETIRED) 2005-01-16 11:48:16 UTC
net-mail herd, please comment (on the need to be SUID and on the patch) Florian: did you try to contact upstream yet ?
Comment 3 Florian Westphal 2005-01-16 11:58:40 UTC
I emailed email@example.com about this a few minutes ago. (same Bugreport + patch) (I thought this was a Gentoo specific bug at first before seeing that upstream docs suggest making cmd5checkpw setuid)
Comment 4 Thierry Carrez (RETIRED) 2005-01-27 07:12:34 UTC
Reassigning this as a vulnerability, since it's a clear local information leak. Florian: any answer from upstream ?
Comment 5 Florian Westphal 2005-01-27 08:55:35 UTC
No reply from upstream until now. The last 'news' item on the project homepage is dated 09.10.2000...
Comment 6 Thierry Carrez (RETIRED) 2005-01-27 08:59:48 UTC
net-mail: please comment. Can cmd5checkwp not be setuid ? If not, what do you think of the patch ?
Comment 7 Michael Hanselmann (hansmi) (RETIRED) 2005-01-27 10:55:24 UTC
langthang asked me to comment on this bug. There we go. Quoting the manpage of cmd5checkpw: FILES /etc/poppasswd - this file contains pairs of logins and clear text passwords separated by ":". It looks like this: login1:password1 login2:password2 Best way to protect it is to make it readable only for one specific user different than you normal system users and make cmd5checkpw suid that user. Therefore, I would say that cmd5checkpw has to be setuid if /etc/poppasswd is only readable by a specific user. But I also think that dropping the effective uid wouldn't hurt. If nobody else (robbat2?) sees a problem in here, we should apply the patch.
Comment 8 Michael Hanselmann (hansmi) (RETIRED) 2005-01-27 11:12:57 UTC
Robin, what do you think about this patch? Can we apply it?
Comment 9 Thierry Carrez (RETIRED) 2005-02-04 06:02:00 UTC
Upstream looks dead... net-mail: please apply the patch or drop the package.
Comment 10 Michael Hanselmann (hansmi) (RETIRED) 2005-02-13 04:24:50 UTC
The patch is now applied to cmd5checkpw-0.22-r2. The ebuild is currently in ~ARCH for testing. Please test it and comment on this bug again. Then we'll make a stabilization request to all affected architectures.
Comment 11 Sune Kloppenborg Jeppesen 2005-02-13 04:46:05 UTC
Thx Micheal, reopening for stable marking. Arches please test and mark cmd5checkpw-0.22-r2 stable.
Comment 12 Olivier Crete (RETIRED) 2005-02-13 12:49:52 UTC
Comment 13 Michael Hanselmann (hansmi) (RETIRED) 2005-02-13 14:26:11 UTC
Stable on ppc and hppa.
Comment 14 Bryan Østergaard (RETIRED) 2005-02-13 14:57:50 UTC
Stable on alpha.
Comment 15 Gustavo Zacarias (RETIRED) 2005-02-14 05:47:36 UTC
Comment 16 Mike Doty (RETIRED) 2005-02-14 06:53:44 UTC
how is this being tested?(noone on amd64 apparently uses it)
Comment 17 Thierry Carrez (RETIRED) 2005-02-15 01:30:14 UTC
Mike: I am not a cmd5checkpw user but it looks like a password changing system that will access a /etc/poppasswd (owned by the cmd5checkpw user and -rw-------). Try creating a /etc/poppasswd file with pairs of logins and clear text passwords like this : login1:password1 And validate you can change the password as a regular user. You can also vamidate that the exploit in bug description is no longer working.
Comment 18 Hardave Riar (RETIRED) 2005-02-18 10:59:51 UTC
Stable on mips.
Comment 19 Mike Doty (RETIRED) 2005-02-19 08:01:35 UTC
stable on amd64
Comment 20 Matthias Geerdsen (RETIRED) 2005-02-21 02:09:38 UTC
security, pls vote on GLSA need
Comment 21 Luke Macken (RETIRED) 2005-02-23 18:39:15 UTC
I vote no glsa, please feel free to disagree ;)
Comment 22 Thierry Carrez (RETIRED) 2005-02-24 02:05:04 UTC
Local users can get plaintext POP passwords for their coworkers... I vote yes.
Comment 23 Matthias Geerdsen (RETIRED) 2005-02-24 03:25:48 UTC
not absolutely necessary, but a GLSA on this might be a good idea voting for one
Comment 24 Thierry Carrez (RETIRED) 2005-02-25 13:32:50 UTC
GLSA 200502-30 arm should park stable to benefit from GLSA