Menu

#274 Root Shell Denial of Service

closed
5
2006-06-20
2006-06-20
Anonymous
No

As pointed out in
http://www.osreviews.net/reviews/admin/usermin it is
possible to disable the login shell of the root account
by calling save.cgi with an empty value for the shell.
The problem is that the command is expanded to `chsh -s
foo`, which changes the shell of the root account to
foo instead of changing foo's shell.

When combined with some well-known social engineering
tactics (cf. "Stealing Superuser" in Practical UNIX &
Internet Security) it might even be possible to obtain
root access to the system.

Discussion

  • Jamie Cameron

    Jamie Cameron - 2006-06-20
    • status: open --> closed
     
  • Jamie Cameron

    Jamie Cameron - 2006-06-20

    Logged In: YES
    user_id=129364

    Thanks for pointing this out - I will fix it in the next
    release of Usermin.

     
  • Nobody/Anonymous

    Logged In: NO

    AFAICS this has not been fixed yet. Any possibility that
    this will be addressed in the future?

     
  • Jamie Cameron

    Jamie Cameron - 2006-09-14

    Logged In: YES
    user_id=129364

    This is definately fixed in Usermin 1.220.
    In the file chfn/save.cgi, there is a check on line 19 for
    an empty shell.

     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.