FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

OPIE -- arbitrary password change

Affected systems
6.0 <= FreeBSD < 6.0_6
5.4 <= FreeBSD < 5.4_13
5.3 <= FreeBSD < 5.3_28
4.11 <= FreeBSD < 4.11_16
4.10 <= FreeBSD < 4.10_22

Details

VuXML ID e93bc5b0-bb2e-11da-b2fb-000e0c2e438a
Discovery 2006-03-22
Entry 2006-03-24
Modified 2006-06-09

Problem Description

The opiepasswd(1) program uses getlogin(2) to identify the user calling opiepasswd(1). In some circumstances getlogin(2) will return "root" even when running as an unprivileged user. This causes opiepasswd(1) to allow an unpriviled user to configure OPIE authentication for the root user.

Impact

In certain cases an attacker able to run commands as a non privileged users which have not explicitly logged in, for example CGI scripts run by a web server, is able to configure OPIE access for the root user. If the attacker is able to authenticate as root using OPIE authentication, for example if "PermitRootLogin" is set to "yes" in sshd_config or the attacker has access to a local user in the "wheel" group, the attacker can gain root privileges.

Workaround

Disable OPIE authentication in PAM:

# sed -i "" -e /opie/s/^/#/ /etc/pam.d/*

or

Remove the setuid bit from opiepasswd:

# chflags noschg /usr/bin/opiepasswd
# chmod 555 /usr/bin/opiepasswd
# chflags schg /usr/bin/opiepasswd

References

CVE Name CVE-2006-1283
FreeBSD Advisory SA-06:12.opie