netbsd-bugs: bin/13991: changing any users' password via chfn and NIS

Subject: bin/13991: changing any users' password via chfn and NIS
To: None <gnats-bugs@gnats.netbsd.org>
From: Hubert Feyrer <hubert@feyrer.de>
List: netbsd-bugs
Date: 09/18/2001 04:19:55
>Number:         13991
>Category:       bin
>Synopsis:       changing any users' password via chfn and NIS
>Confidential:   yes
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Sep 17 19:20:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Hubert Feyrer
>Release:        NetBSD 1.5.2
>Organization:
bla!
>Environment:
	
System: NetBSD miyu 1.5.2 NetBSD 1.5.2 (MIYU) #13: Tue Sep 11 22:00:05 MEST 2001 feyrer@miyu:/usr/cvs/src-1.5/sys/arch/i386/compile/MIYU i386


>Description:
	It was reportet that running chfn(1) on NetBSD with a NetBSD 
	NIS server replaces the users' crypted password string in 
	master.passwd with a '*'. Digging a bit, it turns out that the
	'*' comes in from the client, which sends the '*' instead of the
	password, against which yppasswdd should verify the password. 

	Taking the password that the user has to veryify before chfn,
	crupt(3)ing it with a random salt, and sending that instead of
	the '*' sets the password to the crypt(3)ed string in master.passwd
	on the NIS server.

	I have a strange feeling that everyone can change the password
	of any user by sending a faking the RPC data exchange.

	Below follows 
	 * The full mail exchange so far
	 * A patch that at least prevents chfn from sending a '*' and
	   puts a newly crypt(3)ed version into master.passwd.

>How-To-Repeat:
	 * Setup NIS client and server
	 * chfn on the client
	 * check the password on the server
>Fix:
	
Index: Makefile
===================================================================
RCS file: /cvsroot/basesrc/usr.bin/chpass/Makefile,v
retrieving revision 1.10
diff -u -r1.10 Makefile
--- Makefile	1997/10/24 09:00:22	1.10
+++ Makefile	2001/09/18 02:12:17
@@ -10,7 +10,7 @@
 MLINKS=	chpass.1 chfn.1 chpass.1 chsh.1
 CPPFLAGS+=-DYP -I${.CURDIR}/../../lib/libc/include
 DPADD+= ${LIBRPCSVC} ${LIBUTIL}
-LDADD+= -lrpcsvc -lutil
+LDADD+= -lrpcsvc -lutil -lcrypt
 
 .include <bsd.prog.mk>
 
Index: pw_yp.c
===================================================================
RCS file: /cvsroot/basesrc/usr.bin/chpass/pw_yp.c,v
retrieving revision 1.15.8.3
diff -u -r1.15.8.3 pw_yp.c
--- pw_yp.c	2000/11/15 18:53:39	1.15.8.3
+++ pw_yp.c	2001/09/18 02:12:17
@@ -169,7 +169,19 @@
 
 	/* tell rpc.yppasswdd */
 	yppasswd.newpw.pw_name	 = strdup(pw->pw_name);
+printf("HF: yppasswd.oldpass='%s', pw->pw_passwd='%s'\n", yppasswd.oldpass, pw->pw_passwd);
+#if 0
 	yppasswd.newpw.pw_passwd = strdup(pw->pw_passwd);
+#else
+	{
+		char salt[3];
+		salt[0] = 'a' + rand() % 26;
+		salt[1] = 'Z' + rand() % 26;
+		salt[2] = '\0';
+printf("HF: salt='%s', crypt()='%s'\n", salt, crypt(yppasswd.oldpass, salt));
+		yppasswd.newpw.pw_passwd = strdup(crypt(yppasswd.oldpass, salt));
+	}
+#endif
 	yppasswd.newpw.pw_uid 	 = pw->pw_uid;
 	yppasswd.newpw.pw_gid	 = pw->pw_gid;
 	yppasswd.newpw.pw_gecos  = strdup(pw->pw_gecos);






From cpctc@vt.edu Tue Sep 18 04:12:47 2001
Date: Mon, 17 Sep 2001 21:25:39 -0400
From: cpctc <cpctc@vt.edu>
To: hubert@feyrer.de
Cc: netbsd-help@netbsd.org
Subject: Re: NIS/yp/passwd not compatible 1.5 -> 1.5.1?

After some more experimentation, the problem appears to be the 'chsh' program/command.

With password working as "bobobo":
master.passwd:
user:0DLBug12YBlDY:1000:100::0:0:,,,:/home/user:/usr/pkg/bin/bash

After doing a chsh on the nis/yp client...
master.passwd:
user:*:1000:100::0:0:,,,:/home/user:/bin/sh

the file 'passwd' always has a "*" for a password for the user.

I get the same behavior on a 1.5 nis client, 1.5.1 nis client, and the 1.5 nis server.

It always says something like "# changing information in nis database" during the chsh vi, so I assume it's nis-aware.

The command "passwd" works correctly with nis on the same three clients.

(hopefully I haven't globally compromised my system by revealing my password was "bobobo".. I'll to change it back to "12345" now.)

Thanks again for any help..

----- Original Message ----- 
From: "Hubert Feyrer" <hubert@feyrer.de>
To: <netbsd-help@netbsd.org>; "cpctc" <cpctc@vt.edu>
Cc: <mjl@netbsd.org>
Sent: Monday, September 17, 2001 3:03 PM
Subject: Re: NIS/yp/passwd not compatible 1.5 -> 1.5.1?


| In article <004601c13f7c$1b1b8ed0$172aadbf@rrinc.com> you wrote:
| > My nis/yp server is 1.5 and works fine with 1.5 clients. (everything is
| > i386)
| > 
| > I added a 1.5.1 client, and I'm able to log in, but if I do things that
| > check/change my password, like 'passwd' ('yppasswd') or 'chsh', it does
| > something that screws up my password on the server, and I'm no longer able
| > to login from any client.
| > 
| > I have to log in as root, do vipw, and change my password entry from
| > "...:*:..." to "...::..." (no pw), then set my password from a 1.5 machine.
| > 
| > Is this a known problem?  I don't see any mention of nis/yp or passwd in the
| > 1.5.1 or 1.5.2 release announcements.
| 
| Not sure, it *might* be related to login classes. Can you give more
| data here: what does the line look before you call yppasswd from the 1.5.1
| client, what does it look afterward? Please copy the full line each time,
| from both passwd and master.passwd.
| 
| 
|  - Hubert
| 
| -- 
| Want to get a clue on IPv6 but don't know where to start? Try this:
| * Basics -> http://www.onlamp.com/pub/a/onlamp/2001/05/24/ipv6_tutorial.html
| * Setup  -> http://www.onlamp.com/pub/a/onlamp/2001/06/01/ipv6_tutorial.html 
| Of course with your #1 IPv6 ready operating system -> http://www.NetBSD.org/
| 
>Release-Note:
>Audit-Trail:
>Unformatted: