COMMAND
	    chpass
SYSTEMS AFFECTED
	    OpenBSD 2.3 (and below)
PROBLEM
	    Due to an implementation problem involving file descriptor leakage
	    across processes, it is  possible to exploit the  "chpass" command
	    to gain superuser privileges on OpenBSD 2.3.
	    The "chpass"  command allows  unprivileged users  to edit database
	    information  associated  with  their  account.  Chpass assembles a
	    collection of information that can be edited in a file, allows the
	    user  to  modify  it  with  the  editor  of their choice, and then
	    commits the  modified information  back to  the password database.
	    Chpass is an SUID program.   It functions by creating a  temporary
	    copy of the password database,  spawning an editor to display  and
	    modify  user   account  information,   and  then   committing  the
	    information into the temporary  password file copy, which  is then
	    used  to  rebuild  the  password  database.   In  OpenBSD  2.3, an
	    implementation flaw  causes the  temporary password  file copy  to
	    become accessible to the spawned editor process and its  children.
	    An attacker can use this  access to modify the information  in the
	    temporary copy. The tainted copy  is used to rebuild the  password
	    database,  allowing  the  attacker  to  modify  "root"'s   account
	    information and gain superuser access.
	    This problem  exists due  to file  descriptor leakage  between the
	    "chpass" program, which is  a security-critical SUID program,  and
	    the   user's   editor   program.   Because   the  file  descriptor
	    corresponding to the  temporary password file  copy is not  closed
	    after  the  editor  is  executed,  the  editor  program  (and  its
	    descendants) have write access to  it.  Unix programs spawn  other
	    programs by executing two  system calls, fork() and  execve(). The
	    fork() system call creates a copy of the calling process, and  the
	    execve() call loads  and runs an  executable program into  the new
	    process.  Because fork()'d copies of process maintain all the open
	    file descriptors of  their parents, care  must be taken  to ensure
	    that sensitive files  are closed before  programs are executed  in
	    them.   To simplify  the task  of ensuring  that file  descriptors
	    aren't leaked  to descendant  processes, Unix  systems support the
	    "close-on-exec" flag,  which, when  applied to  a file descriptor,
	    forces  the  operating  system  to  close  the descriptor when the
	    execve() system call  is executed.   OpenBSD 2.3 does  not utilize
	    this functionality to safeguard the password file copy.
	    The password file copy  is not meant to  be written to before  the
	    user's editor  closes. After  the user  is finished  editing their
	    account information,  the original  password file  is copied  over
	    into the temporary file, overwriting its contents. Thus, attackers
	    cannot simply write information into the temporary file with shell
	    commands.  There are two simple ways to work around this  problem.
	    First, an attacker  can write a  program which continually  writes
	    information to  the beginning  of the  temporary file, overwriting
	    the  information  copied  in  from  the  original  password  file.
	    Secondly, an attacker  can write information  past the end  of the
	    original  password  file,  allowing  new  accounts (with superuser
	    privileges) to be created.
SOLUTION
	    This problem has  been resolved in  OpenBSD-current, and a  source
	    code patch is available at the OpenBSD website at:
	
	        ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.3/common/chpass.patch
	
	    The OpenBSD patch applies  the close-on-exec flag to  files opened
	    by chpass(), preventing them  from being accessible to  the user's
	    editor.