Vigil@nce: pam_krb5, privilege elevation via existing_ticket
October 2008 by Vigil@nce
When the existing_ticket option is used by pam_krb5, an attacker
can call a privileged program in order to obtain the Kerberos
ticket of another user.
– Gravity: 2/4
– Consequences: user access/rights
– Provenance: user account
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 02/10/2008
IMPACTED PRODUCTS
– Fedora
– Mandriva Linux
– Red Hat Enterprise Linux
– Unix - plateform
DESCRIPTION
The pam_krb5 module authenticates users via a Kerberos server. The
existing_ticket option of pam_krb5 indicates to search for tickets
in the cache and to use them.
However, when existing_ticket is enabled, privileges are not lost
to search in the cache. An attacker can therefore use "su" or
"sudo" to access to the cache in a privileged manner and obtain
the ticket of another user.
A local attacker can therefore connect to the account of a victim
with a cached Kerberos ticket.
CHARACTERISTICS
– Identifiers: 461960, BID-31534, CVE-2008-3825, FEDORA-2008-8605,
FEDORA-2008-8618, MDVSA-2008:209, RHSA-2008:0907-01,
VIGILANCE-VUL-8142
– Url: http://vigilance.aql.fr/vulnerability/8142