[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PISA-05-JAN-00-000

To: independence-l@independence.seul.org
Subject: PISA-05-JAN-00-000
From: David Webster <cog@seul.org>
Date: Wed, 5 Jan 2000 10:27:16 +0000 (GMT)
Delivery-Date: Wed, 05 Jan 2000 05:31:14 -0500
Reply-To: independence-l@independence.seul.org
Sender: owner-independence-l@independence.seul.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

              .------------------------------------------------.
              |**** Project Independence Security Advisory ****|
              `-----------* ID: PISA-21-NOV-99-004 *-----------'
               Issued by: David Webster <cognition@bigfoot.com>

Issue Date: 05-JAN-00

Overview: Security bug in usermode and pam

Affected: Independence Release 6.0-0.8 (Redhat 6.0)

References: RedHat Security Advisory: RHSA-2000:001-01
            L0pht Security Advisory PamSlam
                [ http://www.lopht.com/advisories/pam_advisory ]

                                  -=-=-==-=-=-

Detailed Problem Description:

        The combination of the fact that both userhelper and PAM follow ..
        paths allows us to craft up a file that causes userhelper (by way
        of PAM) to dlopen any shared object we want as root. The exploit
        is simple, and utilizes the '-w' option of userhelper, which lets
        us specify a program to run with the privileges designated by PAM.
        This tries to only execute programs that have entries in
        /etc/security/console.apps, but since we get to specify the name,
        something like ../../../tmp/myprog gets us a file open path that
        looks like /etc/security/console.apps/../../../tmp/myprog. "strcat"
        is not a good way to keep a filename below a directory!

        After this hurdle, PAM is called to start up the binary, and it does
        the same thing, looking for the filename in /etc/pam.d. If we've
        placed a rogue pam.d configuration file in /tmp/myprog, then it can
        be pointed to /etc/pam.d/../../../tmp/myprog. In the pam.d config.
        file, we get to pick a few shared libraries to dlopen, so at this
        point, we get root.

        The following exploit demonstrates this vulnerability by creating a
        'rootshell library' that creates a shell when dlopened, creating a
        pam.d-style configuration file, and then running userhelper with
        the appropriately dotted path.


Solution:

        Update the affected RPM packages by downloading and
        installing the RPMs listed below. For each RPM, run:
        
                root# rpm -Uvh <filename>

        where <filename> is the name of the RPM.

        [Note: You need only install EITHER the compiled RPM,
        (*.i386.rpm) OR the source RPM, (*.src.rpm), NOT both.]

RPMs:

   http://independence.seul.org/security/2000/rpms/pam-0.68-10.i386.rpm
   ftp://updates.redhat.com/6.1/i386/pam-0.68-10.i386.rpm
   http://independence.seul.org/security/2000/rpms/usermode-1.17-1.i386.rpm
   ftp://updates.redhat.com/6.1/i386/usermode-1.17-1.i386.rpm
   http://independence.seul.org/security/2000/rpms/SysVinit-2.77.i386.rpm
   ftp://updates.redhat.com/6.0/i386/SysVinit-2.77-2.i386.rpm

Source RPMs:

   http://independence.seul.org/security/2000/rpms/pam-0.68-10.src.rpm
   ftp://updates.redhat.com/6.1/SRPMS/pam-0.68-10.src.rpm
   http://independence.seul.org/security/2000/rpms/usermode-1.17-1.src.rpm
   ftp://updates.redhat.com/6.1/SRPMS/usermode-1.17-1.src.rpm
   http://independence.seul.org/security/2000/rpms/SysVinit-2.77.src.rpm
   ftp://updates.redhat.com/6.0/SRPMS/SysVinit-2.77-2.src.rpm

These packages are GPG signed by Red Hat, Inc. for security.
Their key is available at: http://www.redhat.com/corp/contact.html

You can verify each package with the following command:
    rpm --checksig  <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg <filename>

This security advisory, and all future ones should be signed by me,
David Webster (aka cognition), with key ID: 45 FA C2 83

Which is avaliable from: [http://www.cognite.net/pgp.html],
                         and most good pgp key servers.

An archive of these messages can be currently be found on:
http://independence.seul.org/security/

A process of automatic retrival is being worked on.

[Note: Thanks go to dildog@l0pht.com, from l0pht, and to RedHat for finding,
and fixing these holes.]

        .---------------------------------------------------.
        | And problems regarding this, or future advisories |
        | should be emailed to me: <cognition@bigfoot.com>  |
        `---------------------------------------------------'
-----BEGIN PGP SIGNATURE-----
Comment: David Webster (aka cogNiTioN) <http://www.cognite.net/>

iD8DBQE4cxznDdLNO0X6woMRAifGAJ9+/VlafWxcBdgxeq/2FC6RPKcKMACg0NgD
VYVP6dHL7kJ7ug9cHV5gENc=
=Jf20
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: PISA-05-JAN-00-000
  - From: David Webster <cog@seul.org>

Prev by Date: Re: Some thoughts
Next by Date: Re: PISA-05-JAN-00-000
Prev by thread: Re: Y2K Bug for FileRunner
Next by thread: Re: PISA-05-JAN-00-000
Index(es):
- Date
- Thread