.------------------------------------------------. |**** Project Independence Security Advisory ****| `-----------* ID: PISA-21-NOV-99-004 *-----------' Issued by: David Webster Issue Date: 05-JAN-00 Overview: Security bug in usermode and pam Affected: Independence Release 6.0-0.8 (Redhat 6.0) References: RedHat Security Advisory: RHSA-2000:001-01 L0pht Security Advisory PamSlam [ http://www.lopht.com/advisories/pam_advisory ] -=-=-==-=-=- Detailed Problem Description: The combination of the fact that both userhelper and PAM follow .. paths allows us to craft up a file that causes userhelper (by way of PAM) to dlopen any shared object we want as root. The exploit is simple, and utilizes the '-w' option of userhelper, which lets us specify a program to run with the privileges designated by PAM. This tries to only execute programs that have entries in /etc/security/console.apps, but since we get to specify the name, something like ../../../tmp/myprog gets us a file open path that looks like /etc/security/console.apps/../../../tmp/myprog. "strcat" is not a good way to keep a filename below a directory! After this hurdle, PAM is called to start up the binary, and it does the same thing, looking for the filename in /etc/pam.d. If we've placed a rogue pam.d configuration file in /tmp/myprog, then it can be pointed to /etc/pam.d/../../../tmp/myprog. In the pam.d config. file, we get to pick a few shared libraries to dlopen, so at this point, we get root. The following exploit demonstrates this vulnerability by creating a 'rootshell library' that creates a shell when dlopened, creating a pam.d-style configuration file, and then running userhelper with the appropriately dotted path. Solution: Update the affected RPM packages by downloading and installing the RPMs listed below. For each RPM, run: root# rpm -Uvh where is the name of the RPM. [Note: You need only install EITHER the compiled RPM, (*.i386.rpm) OR the source RPM, (*.src.rpm), NOT both.] RPMs: http://independence.seul.org/security/2000/rpms/pam-0.68-10.i386.rpm ftp://updates.redhat.com/6.1/i386/pam-0.68-10.i386.rpm http://independence.seul.org/security/2000/rpms/usermode-1.17-1.i386.rpm ftp://updates.redhat.com/6.1/i386/usermode-1.17-1.i386.rpm http://independence.seul.org/security/2000/rpms/SysVinit-2.77-2.i386.rpm ftp://updates.redhat.com/6.0/i386/SysVinit-2.77-2.i386.rpm Source RPMs: http://independence.seul.org/security/2000/rpms/pam-0.68-10.src.rpm ftp://updates.redhat.com/6.1/SRPMS/pam-0.68-10.src.rpm http://independence.seul.org/security/2000/rpms/usermode-1.17-1.src.rpm ftp://updates.redhat.com/6.1/SRPMS/usermode-1.17-1.src.rpm http://independence.seul.org/security/2000/rpms/SysVinit-2.77-2.src.rpm ftp://updates.redhat.com/6.0/SRPMS/SysVinit-2.77-2.src.rpm These packages are GPG signed by Red Hat, Inc. for security. Their key is available at: http://www.redhat.com/corp/contact.html You can verify each package with the following command: rpm --checksig If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg This security advisory, and all future ones should be signed by me, David Webster (aka cognition), with key ID: 45 FA C2 83 Which is avaliable from: [http://www.cognite.net/pgp.html], and most good pgp key servers. An archive of these messages can be currently be found on: http://independence.seul.org/security/ A process of automatic retrival is being worked on. [Note: Thanks go to dildog@l0pht.com, from l0pht, and to RedHat for finding, and fixing these holes.] .---------------------------------------------------. | And problems regarding this, or future advisories | | should be emailed to me: | `---------------------------------------------------'