Vulnerability Note VU#369427

Format string vulnerability in libutil pw_error(3) function

Overview

There is an input validation vulnerability in the OpenBSD libutil system library that allows local users to gain superuser access via the chpass utility.

I. Description

On June 30, 2000, the OpenBSD development team repaired an input validation vulnerability in the pw_error function of the OpenBSD 2.7 libutil library.

It was later discovered that when this function is called by the setuid program /usr/bin/chpass on unpatched systems, it is possible for users to obtain superuser access.

II. Impact

Attackers with an account on affected systems can obtain superuser access via the chpass utility.

III. Solution

Apply a patch from your vendor.

See the vendors section of this document for further information from your vendor.

The CERT/CC recommends that vulnerable users protect their systems by removing the SUID bit on chpass.

Systems Affected

Vendor	Status	Date Notified
Apple	Not Vulnerable	27-Oct-2000
BSDI	Not Vulnerable	27-Oct-2000
Compaq Computer Corporation	Not Vulnerable	27-Oct-2000
FreeBSD	Vulnerable	31-Oct-2000
Fujitsu	Not Vulnerable	20-Jan-2001
Hewlett Packard	Not Vulnerable	3-Jan-2001
NetBSD	Vulnerable	27-Oct-2000
OpenBSD	Vulnerable	17-Nov-2000

References

http://www.securityfocus.com/bid/1744
http://www.openbsd.org/errata.html (025)
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/025_pw_error.patch

Credit

This document was written by Jeffrey P. Lanza.

Other Information

Date Public:	2000-10-03
Date First Published:	2000-11-07
Date Last Updated:	2001-03-29
CERT Advisory:
CVE-ID(s):	CAN-2000-0993
NVD-ID(s):	CAN-2000-0993
US-CERT Technical Alerts:
Metric:	11.16
Document Revision:	9

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader