tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

NetBSD Security Advisory 2011-008: OpenPAM privilege escalation



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                 NetBSD Security Advisory 2011-008
                 =================================

Topic:          OpenPAM privilege escalation


Version:        NetBSD-current:         affected prior to 20111109
                NetBSD 5.1:             affected prior to 20111119
                NetBSD 5.0:             affected prior to 20111119
                NetBSD 4.0.*:           affected prior to 20111119
                NetBSD 4.0:             affected prior to 20111119
                pkgsrc:                 security/openpam package prior to
                                        20111213


Severity:       Privilege escalation


Fixed:          NetBSD-current:         Nov 9th, 2011
                NetBSD-5-1 branch:      Nov 19th, 2011
                NetBSD-5-0 branch:      Nov 19th, 2011
                NetBSD-5 branch:        Nov 19th, 2011
                NetBSD-4-0 branch:      Nov 19th, 2011
                NetBSD-4 branch:        Nov 19th, 2011
                pkgsrc security/openpam: openpam-20071221nb1

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

The pam_start() function of OpenPAM doesn't check the "service"
argument. With a relative path it can be tricked into reading
a config file from an arbitrary location.
NetBSD base utilities pass fixed constant strings. 3rd party
programs which run with elevated privileges and allow user chosen
strings open an attack vector.

This vulnerability has been assigned CVE-2011-4122.


Technical Details
=================

Known 3rd party programs which allow user chosen PAM service names are:
- -"kcheckpass" from KDE3/4 (installed as SUID per default)
- -the "pam_auth" helper of "squid" (not SUID per default, but might
 be by administator's choice)
- -"saslauthd" from cyrus-sasl, if built with PAM support, is suspected
 to accept a PAM service name through its communication socket
 (not verified in detail; pkgsrc/security/cyrus-saslauthd does not
 support PAM)

Also see the initial post about the problem:
http://c-skills.blogspot.com/2011/11/openpam-trickery.html
An exploit which uses KDE's "kcheckpass" is here:
http://stealth.openwall.net/xSports/pamslam


Solutions and Workarounds
=========================

Update NetBSD's libpam to one of the versions listed above, or install
a version of the 3rd party software with a fix for the issue.
Fixed versions in pkgsrc are:
kdebase-3.5.10nb16
kdebase-workspace4-4.5.5nb4
squid-2.7.9nb2
squid-3.1.16nb1


Thanks To
=========

Thanks to "Icke" for reporting the issue.


Revision History
================

        2011-12-15      Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2011-008.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .

Copyright 2011, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2011-008.txt,v 1.1 2011/12/15 13:52:31 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (NetBSD)

iQIcBAEBAgAGBQJO6f/4AAoJEAZJc6xMSnBuS/UP/RtxNHH5PEeo40KW05lLTgwH
shzPpdm92ZzSLtNQ/TIAJOSsDJ9RtIWLxiwjOYfwOqD2Mvcdo/meVOvfMxInXx8Q
ktNiX4Ud2IFU9jAxQfDJt0Hrmt7rc1dSn254uRvoKoMZd5oUrM7F9NMWt2PI/l1X
bWs39vcjW8ZALX+nbQrlMIUsRxB9i2COubm/eh1cArhaz0msD06Y9gso1Kib5wzg
JWgVzJbgNOxSfu5fHi+vDK5lk655VTnuSmb86+UIbAmRvBXO2AUGkJyhB9CDWiic
EeTfRDw6DFOpRBgS+SPoWRs63SKyb9s2P1EC6cLuxX9Fap/xQxvrmEKQYQicG2JG
vrqHevJ1W/Ke9x0UvIO56Oqp+gRYtoB0BU/0dCXGRAx2aR51WHZDS2QLA08tJKjH
PMLozx30UqCbTpE96nRdR5LzvsYqtiNN4oBzzZ14d0ENfPQfZRcK++/Srbj3qgNZ
dYZhplqYijvteyr7ZFbrua7ID/VhHQn7rORrTpsf5H68IWyL9BWHtITFs84NNRAE
BFCHLCYzrjATC+dtC7uGWZneEHWmPQF4CPDOE1Q6MpW7ihK/ziC2DFm4+wX8t5Eq
GlFX4P7xOnbvHBeV7pa8T1ixgyt7Nit07Z9DiRq/g8iaoKsDU2XYVx3QVcIbHOTU
27BrifxSQWtqqkWCmVWp
=hTrO
-----END PGP SIGNATURE-----


Home | Main Index | Thread Index | Old Index