16 Dec 2011 01:00
NetBSD Security Advisory 2011-008: OpenPAM privilege escalation
NetBSD Security Officer <security-officer <at> NetBSD.org>
2011-12-16 00:00:14 GMT
2011-12-16 00:00:14 GMT
NetBSD Security Advisory 2011-008 ================================= Topic: OpenPAM privilege escalation Version: NetBSD-current: affected prior to 20111109 NetBSD 5.1: affected prior to 20111119 NetBSD 5.0: affected prior to 20111119 NetBSD 4.0.*: affected prior to 20111119 NetBSD 4.0: affected prior to 20111119 pkgsrc: security/openpam package prior to 20111213 Severity: Privilege escalation Fixed: NetBSD-current: Nov 9th, 2011 NetBSD-5-1 branch: Nov 19th, 2011 NetBSD-5-0 branch: Nov 19th, 2011 NetBSD-5 branch: Nov 19th, 2011 NetBSD-4-0 branch: Nov 19th, 2011 NetBSD-4 branch: Nov 19th, 2011 pkgsrc security/openpam: openpam-20071221nb1 Please note that NetBSD releases prior to 4.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== The pam_start() function of OpenPAM doesn't check the "service" argument. With a relative path it can be tricked into reading a config file from an arbitrary location. NetBSD base utilities pass fixed constant strings. 3rd party programs which run with elevated privileges and allow user chosen strings open an attack vector. This vulnerability has been assigned CVE-2011-4122. Technical Details ================= Known 3rd party programs which allow user chosen PAM service names are: -"kcheckpass" from KDE3/4 (installed as SUID per default) -the "pam_auth" helper of "squid" (not SUID per default, but might be by administator's choice) -"saslauthd" from cyrus-sasl, if built with PAM support, is suspected to accept a PAM service name through its communication socket (not verified in detail; pkgsrc/security/cyrus-saslauthd does not support PAM) Also see the initial post about the problem: http://c-skills.blogspot.com/2011/11/openpam-trickery.html An exploit which uses KDE's "kcheckpass" is here: http://stealth.openwall.net/xSports/pamslam Solutions and Workarounds ========================= Update NetBSD's libpam to one of the versions listed above, or install a version of the 3rd party software with a fix for the issue. Fixed versions in pkgsrc are: kdebase-3.5.10nb16 kdebase-workspace4-4.5.5nb4 squid-2.7.9nb2 squid-3.1.16nb1 Thanks To ========= Thanks to "Icke" for reporting the issue. Revision History ================ 2011-12-15 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2011-008.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2011, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2011-008.txt,v 1.1 2011/12/15 13:52:31 tonnerre Exp $
RSS Feed