search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Buffer overflow vulnerability in grpck command line utility

Vulnerability Note VU#121891

Original Release Date: 2002-01-04 | Last Revised: 2002-07-05

Overview

The CERT/CC has received a public report of a local buffer overflow vulnerability in the grpck utility.

Description

The grpck utility performs syntax checking of /etc/group and /etc/gshadow group information files. This utility contains a buffer overflow vulnerability in the section of code that parses command line arguments. By sending a command line argument string of approximately 3000 characters, it is possible to cause this utility to generate a segmentation fault. On systems where this utility is installed with setuid root privileges, it may be possible for local users to exploit this vulnerability to execute arbitrary code with superuser privileges.

This vulnerability has been reported to affect systems running IRIX and Linux, but other operating systems that include this setuid root utility are likely to be affected.

Impact

This vulnerability may allow a local user to execute arbitrary code with superuser privileges.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Clear the setuid bit of affected binaries

As a workaround, it is possible to limit the scope of this vulnerability by clearing the setuid bit of affected binaries with the chmod utility.

Vendor Information

121891
 
Expand all

Caldera Not Affected

Notified:  January 04, 2002 Updated: January 07, 2002

Status

Not Affected

Vendor Statement

OpenServer, Open UNIX and UnixWare do not ship pwck and grpck set{uid,gid}, therefore these operating systems are not vulnerable.

OpenLinux versions do include pwck and grpck, but they are neither setuid or setgid.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva Not Affected

Updated:  June 26, 2002

Status

Not Affected

Vendor Statement

Conectiva Linux is not vulnerable to this problem as we never shipped grpck SUID root.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD Not Affected

Notified:  January 04, 2002 Updated: January 24, 2002

Status

Not Affected

Vendor Statement

FreeBSD does not contain the `grpck' nor `pwck' utilities, and is therefore not vulnerable to VU#121891 nor VU#877811.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu Not Affected

Notified:  January 04, 2002 Updated: January 24, 2002

Status

Not Affected

Vendor Statement

Regarding VU#121891 and VU#877811, Fujitsu's UXP/V operating system is not vulnerable because it does not have the setuid attribute.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett Packard Not Affected

Notified:  January 04, 2002 Updated: January 24, 2002

Status

Not Affected

Vendor Statement

HP is not effected by this issue as presented to us.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM Not Affected

Notified:  January 04, 2002 Updated: January 24, 2002

Status

Not Affected

Vendor Statement

IBM has tested and examined the commands and code regarding pwdck and grpck. We do not believe they are vulnerable to the command-line buffer-overflow exploits mentioned in VU#121891 and VU#877811.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD Not Affected

Notified:  January 04, 2002 Updated: January 07, 2002

Status

Not Affected

Vendor Statement

NetBSD does not ship with pwck or grpck, and is therefore not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall Not Affected

Updated:  July 05, 2002

Status

Not Affected

Vendor Statement

Openwall GNU/*/Linux is not vulnerable. We install the pwck and grpck utilities mode 700 (that is, restricted to just root).

The buffer overflow is fixed in shadow-4.0.0 and thus in Owl-current after 2001/11/12. It has never been a security issue for us and for most (all?) other Linux distributions and thus hasn't been handled as such.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc. Not Affected

Notified:  January 04, 2002 Updated: January 08, 2002

Status

Not Affected

Vendor Statement

We are not vulnerable to this vulnerability in any release of Red Hat Linux, as we do not ship either of these utilities SUID.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI Not Affected

Notified:  January 04, 2002 Updated: January 07, 2002

Status

Not Affected

Vendor Statement

Pwck and grpck are not distributed as suid, and we have not been able to replicate the problem as it has been described to us.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc. Not Affected

Notified:  January 04, 2002 Updated: January 07, 2002

Status

Not Affected

Vendor Statement

Sun does not ship grpck with any additional privileges in Solaris so Sun is not affected by this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer Inc. Unknown

Notified:  January 04, 2002 Updated: January 04, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

BSDI Unknown

Notified:  January 04, 2002 Updated: January 04, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Compaq Computer Corporation Unknown

Notified:  January 04, 2002 Updated: January 04, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General Unknown

Notified:  January 04, 2002 Updated: January 04, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian Unknown

Notified:  January 04, 2002 Updated: January 04, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft Unknown

Notified:  January 04, 2002 Updated: January 04, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation Unknown

Notified:  January 04, 2002 Updated: January 04, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD Unknown

Notified:  January 04, 2002 Updated: January 04, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation Unknown

Notified:  January 04, 2002 Updated: January 04, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys Unknown

Notified:  January 04, 2002 Updated: January 04, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 21 vendors View less vendors


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was reported to several SecurityFocus mailing lists on 01/02/2002 by blackshell@hushmail.com.

This document was written by Jeffrey P. Lanza.

Other Information

CVE IDs: None
Severity Metric: 10.69
Date Public: 2002-01-02
Date First Published: 2002-01-04
Date Last Updated: 2002-07-05 21:19 UTC
Document Revision: 22

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis