Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.1261
OpenPAM privilege escalation
16 December 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenPAM
Publisher: NetBSD
Operating System: NetBSD
BSD variants
Impact/Access: Increased Privileges -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2011-4122
Comment: This advisory references vulnerabilities in products which run on
platforms other than NetBSD. It is recommended that administrators
running OpenPAM check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2011-008
=================================
Topic: OpenPAM privilege escalation
Version: NetBSD-current: affected prior to 20111109
NetBSD 5.1: affected prior to 20111119
NetBSD 5.0: affected prior to 20111119
NetBSD 4.0.*: affected prior to 20111119
NetBSD 4.0: affected prior to 20111119
pkgsrc: security/openpam package prior to
20111213
Severity: Privilege escalation
Fixed: NetBSD-current: Nov 9th, 2011
NetBSD-5-1 branch: Nov 19th, 2011
NetBSD-5-0 branch: Nov 19th, 2011
NetBSD-5 branch: Nov 19th, 2011
NetBSD-4-0 branch: Nov 19th, 2011
NetBSD-4 branch: Nov 19th, 2011
pkgsrc security/openpam: openpam-20071221nb1
Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract
========
The pam_start() function of OpenPAM doesn't check the "service"
argument. With a relative path it can be tricked into reading
a config file from an arbitrary location.
NetBSD base utilities pass fixed constant strings. 3rd party
programs which run with elevated privileges and allow user chosen
strings open an attack vector.
This vulnerability has been assigned CVE-2011-4122.
Technical Details
=================
Known 3rd party programs which allow user chosen PAM service names are:
- - -"kcheckpass" from KDE3/4 (installed as SUID per default)
- - -the "pam_auth" helper of "squid" (not SUID per default, but might
be by administator's choice)
- - -"saslauthd" from cyrus-sasl, if built with PAM support, is suspected
to accept a PAM service name through its communication socket
(not verified in detail; pkgsrc/security/cyrus-saslauthd does not
support PAM)
Also see the initial post about the problem:
http://c-skills.blogspot.com/2011/11/openpam-trickery.html
An exploit which uses KDE's "kcheckpass" is here:
http://stealth.openwall.net/xSports/pamslam
Solutions and Workarounds
=========================
Update NetBSD's libpam to one of the versions listed above, or install
a version of the 3rd party software with a fix for the issue.
Fixed versions in pkgsrc are:
kdebase-3.5.10nb16
kdebase-workspace4-4.5.5nb4
squid-2.7.9nb2
squid-3.1.16nb1
Thanks To
=========
Thanks to "Icke" for reporting the issue.
Revision History
================
2011-12-15 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2011-008.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
Copyright 2011, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2011-008.txt,v 1.1 2011/12/15 13:52:31 tonnerre Exp $
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (NetBSD)
iQIcBAEBAgAGBQJO6f/4AAoJEAZJc6xMSnBuS/UP/RtxNHH5PEeo40KW05lLTgwH
shzPpdm92ZzSLtNQ/TIAJOSsDJ9RtIWLxiwjOYfwOqD2Mvcdo/meVOvfMxInXx8Q
ktNiX4Ud2IFU9jAxQfDJt0Hrmt7rc1dSn254uRvoKoMZd5oUrM7F9NMWt2PI/l1X
bWs39vcjW8ZALX+nbQrlMIUsRxB9i2COubm/eh1cArhaz0msD06Y9gso1Kib5wzg
JWgVzJbgNOxSfu5fHi+vDK5lk655VTnuSmb86+UIbAmRvBXO2AUGkJyhB9CDWiic
EeTfRDw6DFOpRBgS+SPoWRs63SKyb9s2P1EC6cLuxX9Fap/xQxvrmEKQYQicG2JG
vrqHevJ1W/Ke9x0UvIO56Oqp+gRYtoB0BU/0dCXGRAx2aR51WHZDS2QLA08tJKjH
PMLozx30UqCbTpE96nRdR5LzvsYqtiNN4oBzzZ14d0ENfPQfZRcK++/Srbj3qgNZ
dYZhplqYijvteyr7ZFbrua7ID/VhHQn7rORrTpsf5H68IWyL9BWHtITFs84NNRAE
BFCHLCYzrjATC+dtC7uGWZneEHWmPQF4CPDOE1Q6MpW7ihK/ziC2DFm4+wX8t5Eq
GlFX4P7xOnbvHBeV7pa8T1ixgyt7Nit07Z9DiRq/g8iaoKsDU2XYVx3QVcIbHOTU
27BrifxSQWtqqkWCmVWp
=hTrO
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTuq1vO4yVqjM2NGpAQJaTQ//ZsfdSLSN+6NcANqzTx3oJoUPNISXlkMj
+jKCbWQoTQ+IigeX6/BB0Oe8VrVPj/rTtkRxIsyjxzD6zN+aHFmWZtaSSFpPlgX6
5dn9aDP/hpVHrHVcrXG9bRuEbz6Y8K2XybbRdlPkVLUIcy4nCxHxN0nSbUzCgZsX
VBfxnUzkKEBzQxuWCh6tNLfMTcUs17K7bkLVoWAgYRCrg9faT4n9EE6459bljUHN
NhQaUBz0JXkxfjwF1NG2B2r0sFFgV1Brq0RJd++AOHnunWMj7ySkrjzcrFKI9Iac
HuywFOGtYPOj1TugtXGbqb9qxjUzmLcxpn+xBjsxkPoTjFmw0EEIGsTpx1EHqQ9C
TNZ53ImuSO76JG7lB4tzHvrU6kDeoKo8h1P8n/ndwcTLlm69EbYtGMmOMKxC+SCr
Zrp7TLs6JDSEkUqPf4ZSHVzhAHh8wJYa1Y+r9NP8R8WtJE9t092TLw1Qs+OVok95
4NtnukQBaFRRa29TiXxkGUtgYbc06fUnLuv3jMDB8ar2v3Uw69CUfW1DB08UlYQG
7J2wtLPHgpzAUpDuYLUXPWb1KetETYQq/ZAVmw3Vz8bpKaaTRX/vdj8MYUhlsj+S
nBgz24fMNaC4IH7zwfoIIa2s5jWKUr4F5YbgTexOCEYSKCIzIHigFd2D+lh46CZb
LOL66HqJNd0=
=Q3SC
-----END PGP SIGNATURE-----