Vigil@nce: pam_mount, file corruption via passwdehd
January 2009 by Vigil@nce
A local attacker can force the corruption of a file when passwdehd
of pam_mount is used.
– Gravity: 1/4
– Consequences: data creation/edition
– Provenance: user shell
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 12/01/2009
IMPACTED PRODUCTS
– Mandriva Corporate
– Mandriva Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The pam_mount module is used to mount a volume after the
authentication of a user.
The passwdehd script installed with pam_mount can be used by the
administrator to change the password of an encrypted volume.
This script creates a temporary file named "/tmp/passwdehd.$$"
(where $$ is replaced by the pid) and accesses it in an insecure
manner.
A local attacker can therefore create a symbolic link when the
administrator uses passwdehd, in order to force a file to be
corrupted with root privileges.
CHARACTERISTICS
– Identifiers: CVE-2008-5138, MDVSA-2009:004, VIGILANCE-VUL-8377
– Url: http://vigilance.fr/vulnerability/pam-mount-file-corruption-via-passwdehd-8377