i386/163224: privilege escalation with openpam
Axel Gonzalez
loox at e-shell.net
Tue Dec 13 04:40:10 UTC 2011
>Number: 163224
>Category: i386
>Synopsis: privilege escalation with openpam
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-i386
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Dec 13 04:40:09 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Axel Gonzalez
>Release: FreeBSD 9.0-RC1
>Organization:
>Environment:
FreeBSD moonlight 9.0-RC1 FreeBSD 9.0-RC1 #0: Fri Oct 28 22:53:45 CDT 2011 toor at moonlight:/usr/obj/usr/src/sys/LXCORE9 i386
>Description:
Directory traversal vulnerability in openpam_configure.c in OpenPAM before r478 on FreeBSD 8.1 allows local users to load arbitrary DSOs and gain privileges via a .. (dot dot) in the service_name argument to the pam_start function, as demonstrated by a .. in the -c option to kcheckpass.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4122
Note that there have been changes in openpam that prevnt this:
http://trac.des.no/openpam/changeset/493/trunk/lib/openpam_dynamic.c
This problem was previously reported:
http://www.freebsd.org/cgi/query-pr.cgi?pr=162735
I'm filling a new PR with openpam as the problem, not kcheckpass (since this PR is closed now).
>How-To-Repeat:
http://c-skills.blogspot.com/2011/11/openpam-trickery.html
>Fix:
update to new version
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-i386
mailing list