Vigil@nce : pam-krb5, file corruption
février 2009 par Vigil@nce
SYNTHESIS OF THE VULNERABILITY
When a suid program reinitializes credentials of pam-krb5, a file
can be corrupted.
Gravity : 2/4
Consequences : administrator access/rights, data creation/edition
Provenance : user shell
Means of attack : no proof of concept, no attack
Ability of attacker : expert (4/4)
Confidence : confirmed by the editor (5/5)
Diffusion of the vulnerable configuration : high (3/3)
Creation date : 12/02/2009
IMPACTED PRODUCTS
– Debian Linux
– OpenSolaris
– Sun Solaris
– Sun Trusted Solaris
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The pam-krb5 module authenticates users with Kerberos.
The KRB5CCNAME environment variable indicates the path to the
credential cache. For example the value of KRB5CCNAME can be
/tmp/krb5cc_util.
The pam_setcred(PAM_REINITIALIZE_CREDS) or pam_setcred(PAM_REFRESH_CREDS)
call reinitializes user’s credentials. In order to do so, the
pam_sm_setcred() function of api-auth.c uses chown() on the value
of KRB5CCNAME. The user thus becomes the owner of the indicated
file, and then its content is reinitialized.
Some suid applications, such as the su command of Solaris, use
pam_setcred(PAM_REINITIALIZE_CREDS). However, in this case, if a
local attacker previously define KRB5CCNAME, the file is corrupted
during the execution of the suid command.
A local attacker can therefore use a suid program which
reinitializes pam-krb5 credentials, in order to corrupt a file and
to change its owner.
CHARACTERISTICS
Identifiers : 252767, 6799884, BID-33741, CVE-2009-0361, DSA
1721-1, DSA 1722-1, VIGILANCE-VUL-8468
http://vigilance.fr/vulnerability/pam-krb5-file-corruption-8468