search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Format string vulnerability in libutil pw_error(3) function

Vulnerability Note VU#369427

Original Release Date: 2000-11-07 | Last Revised: 2001-03-30

Overview

There is an input validation vulnerability in the OpenBSD libutil system library that allows local users to gain superuser access via the chpass utility.

Description

On June 30, 2000, the OpenBSD development team repaired an input validation vulnerability in the pw_error function of the OpenBSD 2.7 libutil library.

It was later discovered that when this function is called by the setuid program /usr/bin/chpass on unpatched systems, it is possible for users to obtain superuser access.

Impact

Attackers with an account on affected systems can obtain superuser access via the chpass utility.

Solution

Apply a patch from your vendor.
See the vendors section of this document for further information from your vendor.

The CERT/CC recommends that vulnerable users protect their systems by removing the SUID bit on chpass.

Vendor Information

369427
Expand all

FreeBSD

Notified:  October 24, 2000 Updated:  October 31, 2000

Status

  Vulnerable

Vendor Statement

FreeBSD was also vulnerable to this problem since the affected code has a common ancestor. Like OpenBSD, we fixed the problem during security auditing in 2000/07, but did not realise it to be a security vulnerability since the function is not part of a library on FreeBSD, but the source code file containing the function is included directly in the affected setuid programs. FreeBSD 3.5.1 and 4.0 are the most recent affected versions - 4.1 and 4.1.1 are unaffected.

An advisory is under preparation and will likely be released on 2000/10/30.

Kris

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD

Notified:  October 24, 2000 Updated:  October 27, 2000

Status

  Vulnerable

Vendor Statement

NetBSD-1.4.2 and prior releases are vulnerable; the forthcoming 1.4.3 and 1.5 releases will have this problem fixed. We will be issuing an advisory (similar to the OpenBSD advisory) in the next day or two, with a patch included.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  October 24, 2000 Updated:  November 17, 2000

Status

  Vulnerable

Vendor Statement

From the OpenBSD Security Advisory:

"This vulnerability affects OpenBSD versions through 2.7. FreeBSD 4.0 is vulnerable, but patches have been backported, and FreeBSD versions 4.1 and
4.1.1 are safe. Bill Sommerfield committed a fix to NetBSD today shortly after we notified him of the problem.

OpenBSD users running -current (2.8-beta) with a system dated July 1st or thereafter are safe."

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

OpenBSD has provided a patch for this vulnerability at:

Apple

Notified:  October 24, 2000 Updated:  October 27, 2000

Status

  Not Vulnerable

Vendor Statement

This notification is in regards to CERT Advisory "Input validation vulnerability in OpenBSD libutil library" (VU#369427).

Mac OS X is not vulnerable to the input validation vulnerability in the OpenBSD libutil library.

--
Eric Zelenka
ericz@apple.com
Apple Computer, Inc.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

BSDI

Notified:  October 24, 2000 Updated:  October 27, 2000

Status

  Not Vulnerable

Vendor Statement

No versions of BSD/OS are vulnerable to this problem.

-Jeff Polk, BSDI

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Compaq Computer Corporation

Notified:  October 24, 2000 Updated:  October 27, 2000

Status

  Not Vulnerable

Vendor Statement

SOURCE: (c) Copyright 2000 Compaq Computer Corporation. All rights reserved.


SOURCE: Compaq Computer Corporation

    Compaq Services
    Software Security Response Team USA

This reported problem is not present in Compaq Tru64/UNIX Operating Systems Software.
        - Compaq Computer Corporation

      Vendor Information

      The vendor has not provided us with any further information regarding this vulnerability.

      Addendum

      The CERT/CC has no additional comments at this time.

      If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified:  October 23, 2000 Updated:  January 20, 2001

Status

  Not Vulnerable

Vendor Statement

Fujitsu's UXP/V is not vulnerable to this problem.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett Packard

Notified:  October 24, 2000 Updated:  January 03, 2001

Status

  Not Vulnerable

Vendor Statement

HP does not have a libutil and we don't offer a command called chpass. (Any password changes are done via the command options or SAM). Further, we don't support a function called pw_error.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This document was written by Jeffrey P. Lanza.

Other Information

CVE IDs: CVE-2000-0993
Severity Metric: 11.16
Date Public: 2000-10-03
Date First Published: 2000-11-07
Date Last Updated: 2001-03-30 00:27 UTC
Document Revision: 9

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.