Title: FreeBSD rmuser Password Hash Disclosure Vulnerability
Severity: MODERATE
Description:
FreeBSD ships with a perl script called 'rmuser'. It can be used by administrators to completely remove users from a system.
When rmuser is run, the 'passwd' and 'master.passwd' files must be updated. The rmuser script creates copies of these files and then modifies them. When complete, the original files are replaced with the updated copies.
The script explicitly sets an insecure umask and the copy files are created world readable. If an attacker can anticipate the use of rmuser by an administrator, it may be possible to obtain the contents of 'master.passwd'. If successful, the attacker would obtain the password hashes of other users on the system. This information may assist in a brute-force password attack.
Exploitation of this vulnerability is extremely time dependent, as the attack must be launched when rmuser is being used and while the world-readable copy exists (it is deleted by the script after the original files are overwritten).
Attacks against this utility may be more feasible on systems where 'rmuser' is run automatically at scheduled times (for example, on a server where an automated script runs that removes ISP users with expired accounts).
Affected Products:
- FreeBSD FreeBSD 4.2.0
- FreeBSD FreeBSD 4.3.0
References:
- FreeBSD: FreeBSD Security Information
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
