Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2011.1261 OpenPAM privilege escalation 16 December 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenPAM Publisher: NetBSD Operating System: NetBSD BSD variants Impact/Access: Increased Privileges -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2011-4122 Comment: This advisory references vulnerabilities in products which run on platforms other than NetBSD. It is recommended that administrators running OpenPAM check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2011-008 ================================= Topic: OpenPAM privilege escalation Version: NetBSD-current: affected prior to 20111109 NetBSD 5.1: affected prior to 20111119 NetBSD 5.0: affected prior to 20111119 NetBSD 4.0.*: affected prior to 20111119 NetBSD 4.0: affected prior to 20111119 pkgsrc: security/openpam package prior to 20111213 Severity: Privilege escalation Fixed: NetBSD-current: Nov 9th, 2011 NetBSD-5-1 branch: Nov 19th, 2011 NetBSD-5-0 branch: Nov 19th, 2011 NetBSD-5 branch: Nov 19th, 2011 NetBSD-4-0 branch: Nov 19th, 2011 NetBSD-4 branch: Nov 19th, 2011 pkgsrc security/openpam: openpam-20071221nb1 Please note that NetBSD releases prior to 4.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== The pam_start() function of OpenPAM doesn't check the "service" argument. With a relative path it can be tricked into reading a config file from an arbitrary location. NetBSD base utilities pass fixed constant strings. 3rd party programs which run with elevated privileges and allow user chosen strings open an attack vector. This vulnerability has been assigned CVE-2011-4122. Technical Details ================= Known 3rd party programs which allow user chosen PAM service names are: - - -"kcheckpass" from KDE3/4 (installed as SUID per default) - - -the "pam_auth" helper of "squid" (not SUID per default, but might be by administator's choice) - - -"saslauthd" from cyrus-sasl, if built with PAM support, is suspected to accept a PAM service name through its communication socket (not verified in detail; pkgsrc/security/cyrus-saslauthd does not support PAM) Also see the initial post about the problem: http://c-skills.blogspot.com/2011/11/openpam-trickery.html An exploit which uses KDE's "kcheckpass" is here: http://stealth.openwall.net/xSports/pamslam Solutions and Workarounds ========================= Update NetBSD's libpam to one of the versions listed above, or install a version of the 3rd party software with a fix for the issue. Fixed versions in pkgsrc are: kdebase-3.5.10nb16 kdebase-workspace4-4.5.5nb4 squid-2.7.9nb2 squid-3.1.16nb1 Thanks To ========= Thanks to "Icke" for reporting the issue. Revision History ================ 2011-12-15 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2011-008.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2011, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2011-008.txt,v 1.1 2011/12/15 13:52:31 tonnerre Exp $ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (NetBSD) iQIcBAEBAgAGBQJO6f/4AAoJEAZJc6xMSnBuS/UP/RtxNHH5PEeo40KW05lLTgwH shzPpdm92ZzSLtNQ/TIAJOSsDJ9RtIWLxiwjOYfwOqD2Mvcdo/meVOvfMxInXx8Q ktNiX4Ud2IFU9jAxQfDJt0Hrmt7rc1dSn254uRvoKoMZd5oUrM7F9NMWt2PI/l1X bWs39vcjW8ZALX+nbQrlMIUsRxB9i2COubm/eh1cArhaz0msD06Y9gso1Kib5wzg JWgVzJbgNOxSfu5fHi+vDK5lk655VTnuSmb86+UIbAmRvBXO2AUGkJyhB9CDWiic EeTfRDw6DFOpRBgS+SPoWRs63SKyb9s2P1EC6cLuxX9Fap/xQxvrmEKQYQicG2JG vrqHevJ1W/Ke9x0UvIO56Oqp+gRYtoB0BU/0dCXGRAx2aR51WHZDS2QLA08tJKjH PMLozx30UqCbTpE96nRdR5LzvsYqtiNN4oBzzZ14d0ENfPQfZRcK++/Srbj3qgNZ dYZhplqYijvteyr7ZFbrua7ID/VhHQn7rORrTpsf5H68IWyL9BWHtITFs84NNRAE BFCHLCYzrjATC+dtC7uGWZneEHWmPQF4CPDOE1Q6MpW7ihK/ziC2DFm4+wX8t5Eq GlFX4P7xOnbvHBeV7pa8T1ixgyt7Nit07Z9DiRq/g8iaoKsDU2XYVx3QVcIbHOTU 27BrifxSQWtqqkWCmVWp =hTrO - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTuq1vO4yVqjM2NGpAQJaTQ//ZsfdSLSN+6NcANqzTx3oJoUPNISXlkMj +jKCbWQoTQ+IigeX6/BB0Oe8VrVPj/rTtkRxIsyjxzD6zN+aHFmWZtaSSFpPlgX6 5dn9aDP/hpVHrHVcrXG9bRuEbz6Y8K2XybbRdlPkVLUIcy4nCxHxN0nSbUzCgZsX VBfxnUzkKEBzQxuWCh6tNLfMTcUs17K7bkLVoWAgYRCrg9faT4n9EE6459bljUHN NhQaUBz0JXkxfjwF1NG2B2r0sFFgV1Brq0RJd++AOHnunWMj7ySkrjzcrFKI9Iac HuywFOGtYPOj1TugtXGbqb9qxjUzmLcxpn+xBjsxkPoTjFmw0EEIGsTpx1EHqQ9C TNZ53ImuSO76JG7lB4tzHvrU6kDeoKo8h1P8n/ndwcTLlm69EbYtGMmOMKxC+SCr Zrp7TLs6JDSEkUqPf4ZSHVzhAHh8wJYa1Y+r9NP8R8WtJE9t092TLw1Qs+OVok95 4NtnukQBaFRRa29TiXxkGUtgYbc06fUnLuv3jMDB8ar2v3Uw69CUfW1DB08UlYQG 7J2wtLPHgpzAUpDuYLUXPWb1KetETYQq/ZAVmw3Vz8bpKaaTRX/vdj8MYUhlsj+S nBgz24fMNaC4IH7zwfoIIa2s5jWKUr4F5YbgTexOCEYSKCIzIHigFd2D+lh46CZb LOL66HqJNd0= =Q3SC -----END PGP SIGNATURE-----