ports/162735: [patch] privilege escalation with x11/kde4-workspace and openpam
Axel Gonzalez
loox at e-shell.net
Mon Nov 21 20:30:12 UTC 2011
>Number: 162735
>Category: ports
>Synopsis: [patch] privilege escalation with x11/kde4-workspace and openpam
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Nov 21 20:30:11 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Axel Gonzalez
>Release: FreeBSD 9.0-RC1
>Organization:
>Environment:
FreeBSD moonlight 9.0-RC1 FreeBSD 9.0-RC1 #0: Fri Oct 28 22:53:45 CDT 2011 toor at moonlight:/usr/obj/usr/src/sys/LXCORE9 i386
>Description:
kcheckpass, as used in OpenPAM in FreeBSD 8.1 and possibly other operating systems, calls the pam_star function with raised privileges, which allows local users to load arbitrary DSOs and execute arbitrary code via a crafted service name.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4122
Note that there have been changes in openpam that prevnt this:
http://trac.des.no/openpam/changeset/493/trunk/lib/openpam_dynamic.c
>How-To-Repeat:
http://c-skills.blogspot.com/2011/11/openpam-trickery.html
>Fix:
Apply the patch to openpam
Or apply this patch in x11/kde4-workspace (this is for 4.7.2):
--- ./kcheckpass/checkpass_pam.c.orig 2011-11-21 13:04:22.000000000 -0600
+++ ./kcheckpass/checkpass_pam.c 2011-11-21 13:11:13.000000000 -0600
@@ -32,6 +32,9 @@
#include <security/pam_appl.h>
#endif
+/* XXX stat */
+#include <sys/stat.h>
+
struct pam_data {
char *(*conv) (ConvRequest, const char *);
int abort:1;
@@ -146,6 +149,14 @@
} else {
/* PAM_data.classic = 1; */
pam_service = caller;
+
+ /* XXX This a patch to fix elevation privileges, it doesn't fix silly things as wrong pam */
+ struct stat st;
+ if (stat(pam_service, &st) != 0)
+ return (AuthBad);
+
+ if (st.st_uid != 0)
+ return (AuthBad);
}
pam_error = pam_start(pam_service, user, &PAM_conversation, &pamh);
if (pam_error != PAM_SUCCESS)
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list