Source: cve@mitre.org
dxchpwd in Digital Unix (OSF/1) 3.x allows local users to modify arbitrary files via a symlink attack on the dxchpwd.log file.
Digital Unix (OSF/1) 3.x is vulnerable to a symlink attack via the dxchpwd utility, allowing local attackers to overwrite arbitrary files. This vulnerability enables privilege escalation by manipulating the dxchpwd.log file, potentially leading to complete system compromise. Successful exploitation could result in data exfiltration, system instability, and denial of service.
Step 1: Symlink Creation: The attacker creates a symbolic link named dxchpwd.log that points to a target file (e.g., /etc/shadow).
Step 2: Utility Execution: The attacker triggers the dxchpwd utility (e.g., by changing their password).
Step 3: Race Condition: The dxchpwd utility attempts to open and write to dxchpwd.log. Due to the symlink, it actually opens and writes to the attacker-controlled target file (e.g., /etc/shadow).
Step 4: File Overwrite: The utility writes log data (or potentially crafted data) to the target file, overwriting its contents.
Step 5: Privilege Escalation: If the target file is a critical system file like /etc/shadow, the attacker can then modify the file to gain root access.
The vulnerability stems from a race condition in the dxchpwd utility. The utility, when logging password changes, writes to a log file (dxchpwd.log). An attacker can create a symbolic link (symlink) pointing dxchpwd.log to another critical system file (e.g., /etc/shadow, /etc/passwd). The dxchpwd utility, lacking proper input validation and file access checks, will then write to the target file specified by the symlink. This allows an attacker to overwrite sensitive files, potentially gaining root privileges by modifying the password hashes in /etc/shadow or adding a new user with elevated privileges to /etc/passwd. The root cause is the utility's failure to verify the target of the log file before writing to it, combined with the inherent time-of-check to time-of-use (TOCTOU) vulnerability of symlink attacks.
This vulnerability is not directly associated with specific APT groups due to its age and the targeted nature of Digital Unix. However, it's a technique that could be employed by any attacker with access to a vulnerable system. It's unlikely to be on the CISA KEV list due to its age and the limited number of affected systems.
Monitor file system activity for unexpected symlink creations, especially those targeting system files in /etc or /var/log.
Analyze system logs for suspicious activity related to dxchpwd or password changes, particularly if accompanied by file modification events.
Implement file integrity monitoring (FIM) to detect unauthorized modifications to critical system files (e.g., /etc/shadow, /etc/passwd).
Review audit logs for unusual file access patterns, especially those involving dxchpwd and sensitive files.
Network traffic analysis: While not directly detectable via network traffic, unusual activity on the system after a password change could be a sign of exploitation.
Upgrade to a patched version of Digital Unix (OSF/1) that addresses the symlink vulnerability. This is likely the most effective solution, but may not be feasible.
If upgrading is not possible, apply the vendor-provided patch or workaround, if available.
Implement strict file permissions on critical system files to limit write access to authorized users and processes.
Regularly review and audit system logs to identify and investigate suspicious activity.
Implement file integrity monitoring (FIM) to detect unauthorized modifications to critical system files.
Disable or restrict access to the dxchpwd utility if it's not essential for system operation. Consider using alternative password management tools.
Educate system administrators and users about the risks of symlink attacks and the importance of secure coding practices.