[local] [control] ChangePassword 0.8 runs setuid shell

Ariel Berkman, a student in my Fall 2004 UNIX Security Holes course,
has discovered a locally exploitable security hole in ChangePassword, a
YP/Samba/Squid password-changing tool. I'm publishing this notice, but
all the discovery credits should be assigned to Berkman.

If changepassword.cgi is installed on a multiuser computer, any user
with an account on the computer can seize control of the computer. He
can read and modify every user's files, watch all programs running, etc.
(The attack doesn't work on Linux systems where /bin/sh drops setuid,
but changepassword.cgi itself doesn't work on those systems.)

Here's the bug: Line 317 of changepassword.c, without cleaning its
environment in any way, calls system("cd /var/yp && make &> /dev/null");
the Makefile arranges for changepassword.cgi to be setuid root (mode
4755). A user can set $PATH to point to his own make program, set
$CONTENT_LENGTH to 512, set $REQUEST_METHOD to POST, and feed

   form_user=u&form_pw=p&form_new1=x&form_new2=x&

to changepassword.cgi, where u is his username and p is his password.
The user's make program then runs with root privileges.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago

P.S. Berkman comments that there are several buffer overflows in main(),
but that exploiting these buffer overflows isn't trivial since main()
never returns.