Source: cve@mitre.org
passwd in SunOS 4.1.x allows local users to overwrite arbitrary files via a symlink attack and the -F command line argument.
SunOS 4.1.x systems are vulnerable to a critical local privilege escalation via a symlink attack against the passwd utility. This allows attackers to overwrite arbitrary files, potentially gaining root access and complete control of the compromised system. The vulnerability is easily exploitable and poses a significant risk to legacy systems still in operation.
Step 1: Symlink Creation: The attacker creates a symbolic link (e.g., attacker_link) that points to a sensitive system file like /etc/passwd or /etc/shadow.
Step 2: User Context: The attacker must have a valid user account on the target system, or be able to create one.
Step 3: Triggering passwd: The attacker executes the passwd command, typically with the -F option (e.g., passwd -F <username>). This forces a password change, which, due to the vulnerability, will write to the target file.
Step 4: File Overwrite: The passwd utility, unaware of the symlink, attempts to write the new password information to the file pointed to by the symbolic link. This overwrites the contents of the targeted file.
Step 5: Privilege Escalation: If the attacker targeted /etc/passwd or /etc/shadow, they can potentially add a new user with root privileges, or modify an existing user's password to gain root access.
The vulnerability stems from a symlink race condition within the passwd utility in SunOS 4.1.x. The -F command-line argument, intended for forcing password changes, fails to properly handle symbolic links. An attacker can create a symbolic link pointing to a critical system file (e.g., /etc/passwd, /etc/shadow) and then trigger the passwd utility with the -F option. The utility, unaware of the symlink, will attempt to write to the target file, effectively overwriting it with attacker-controlled data. This is a classic example of insecure file operations and a lack of proper input validation and path sanitization. The root cause is the passwd utility's failure to resolve symbolic links before writing, leading to the overwriting of arbitrary files.
Due to the age of this vulnerability, it is unlikely to be actively targeted by sophisticated APTs. However, it could be used by opportunistic attackers or as part of a larger attack chain. The vulnerability is not listed on the CISA KEV catalog due to its age and the limited number of affected systems.
Monitor system logs for suspicious passwd command invocations, especially those using the -F flag.
Analyze file system activity for unexpected modifications to critical system files like /etc/passwd, /etc/shadow, and /etc/group.
Implement file integrity monitoring to detect unauthorized changes to system files.
Network monitoring for unusual login attempts or password reset requests.
Upgrade to a patched version of SunOS or a supported operating system. This is the most effective solution.
If upgrading is not possible, apply vendor-provided patches or security updates.
Restrict access to the passwd utility to only authorized users.
Implement file system permissions that prevent unauthorized modification of critical system files.
Regularly audit user accounts and system configurations for vulnerabilities.