SYNTHESIS OF THE VULNERABILITY

When a suid program reinitializes credentials of pam-krb5, a file
can be corrupted.

Gravity : 2/4

Consequences : administrator access/rights, data creation/edition

Provenance : user shell

Means of attack : no proof of concept, no attack

Ability of attacker : expert (4/4)

Confidence : confirmed by the editor (5/5)

Diffusion of the vulnerable configuration : high (3/3)

Creation date : 12/02/2009

IMPACTED PRODUCTS

– Debian Linux
– OpenSolaris
– Sun Solaris
– Sun Trusted Solaris
– Unix - plateform

DESCRIPTION OF THE VULNERABILITY

The pam-krb5 module authenticates users with Kerberos.

The KRB5CCNAME environment variable indicates the path to the
credential cache. For example the value of KRB5CCNAME can be
/tmp/krb5cc_util.

The pam_setcred(PAM_REINITIALIZE_CREDS) or pam_setcred(PAM_REFRESH_CREDS)
call reinitializes user’s credentials. In order to do so, the
pam_sm_setcred() function of api-auth.c uses chown() on the value
of KRB5CCNAME. The user thus becomes the owner of the indicated
file, and then its content is reinitialized.

Some suid applications, such as the su command of Solaris, use
pam_setcred(PAM_REINITIALIZE_CREDS). However, in this case, if a
local attacker previously define KRB5CCNAME, the file is corrupted
during the execution of the suid command.

A local attacker can therefore use a suid program which
reinitializes pam-krb5 credentials, in order to corrupt a file and
to change its owner.

CHARACTERISTICS

Identifiers : 252767, 6799884, BID-33741, CVE-2009-0361, DSA
1721-1, DSA 1722-1, VIGILANCE-VUL-8468

http://vigilance.fr/vulnerability/pam-krb5-file-corruption-8468