"ChangePassword modifies the passwords of passwd, Samba, and Squid through the Web. All passwords are synchronized and changed in real time through browsers like Mozilla, Netscape, IE, Opera, and others."
If changepassword.cgi is installed on a multiuser computer, any user with an account on the computer can seize control of the computer.
Credit:
The information has been provided by Anand Khare.
Vulnerable Systems:
* ChangePassword version 0.8 and prior
A malicious user can read and modify every user's files, watch all programs running, etc.
(The attack doesn't work on Linux systems where /bin/sh drops setuid, but changepassword.cgi itself doesn't work on those systems).
Here's the bug: Line 317 of changepassword.c, without cleaning its environment in any way, calls: system("cd /var/yp && make &> /dev/null");
The Makefile sets changepassword.cgi to be setuid root (mode 4755). A user can set $PATH to point to his own make program, set $CONTENT_LENGTH to 512, set $REQUEST_METHOD to POST, and call the script with the following parameters: form_user=u&form_pw=p&form_new1=x&form_new2=x&
Where 'u' is his username and 'p' is his password. The user's program named 'make' then runs with root privileges.
