|
COMMAND Insecure default pam_xauth for sh-utils priviledge escalation SYSTEMS AFFECTED su as contained in e.g. sh-utils-2.0.12-3. RedHat pam packages like e.g. pam-0.75-18.7 At least Redhat 8.0 and 7.1 are vulnerable. Supposedly all versions in between are as well. RedHat 7.0 and before are _NOT_ vulnerable. PROBLEM Thanks to Andreas Beck [becka@bedatec.de] advisory : --snip-- On Redhat Linux including 8.0, PAM comes with a module pam_xauth which can forward X MIT-Magic-Cookies to newly instantiated sessions. While this is a nice feature and generally harmless for the case that an unpriviledged user elevates his priviledges to root using e.g. su or the various wrappers for some root-only programs, it poses a security risk for root, if root uses su in order to assume the id of a less priviledged user, e.g. for troubleshooting purposes. Details: -------- While checking an unrelated problem, we discovered that using su would allow the target user to connect to the running X session owned by the user that used su. Quick checking > becka@cupido$ su devel > Password: > [devel@cupido becka]$ xauth > Using authority file /home/devel/.xauthupNGf8 revealed, that su seems to forward the MIT-Magic-Cookie to the target user in a temporary .xauth-File. > [devel@cupido devel]$ ls -l /home/devel/.xauthupNGf8 > -rw------- 1 devel devel 51 Dez 8 00:26 .xauthupNGf8 This file is owned by the target user and only readable by the target user, as it must/should be for the method to work. This behaviour causes a security risk when root uses su to become an unpriviledged user for troubleshooting an account. Possible attack scenario: ------------------------- Write a mail to local root, stating that you have difficulties logging in, like e.g. you get logged out after 5 seconds in which you can run programs and everything, you just get logged out afterwards. This should be a strange enough description, that root will probably want to verify this behaviour. Assuming root is running an X session on the console under his normal login name, he will probably su to root to allow to assume the id of the complaining user without having to supply a password by using su again. [Depending on the method of connection, a remote X server should also do.] The default entries in /etc/pam.d/su will cause the X session cookie to be forwarded to first root and then the user whose "problem" is to be investigated. Right after sending the mail, said user places a process in memory that will wait for the .xauth-file to appear. Only a very careful root would check for running processes, and even then, he is not likely to shut down something like "longrunning_calculation" that is niced up and all. The process will grab the contents of the .xauth-File and can then connect to the X server, as it knows the cookie. Though this is annoying by itself (User can see what is on the root desktop, send fake events, thus run programs as the user who started the desktop etc.), in this scenario it is much worse, as we know that there is a terminal open that has just su'ed to the current user, very probably from _root_. Just send it "exit<Enter>" and then execute whatever you like. This way you even reproduce the problem you told root about. O.K. - he might get suspicious now, but the damage is done. Some webpages suggest, that pam_xauth can be customized to only forward cookies under certain conditions. However neither the manpage for su nor the one for pam_xauth mention how to do that. Moreover the su manpage does not state, that X forwarding is on by default. Proof of concept/How to reproduce: ---------------------------------- Log in as an unpriviledged user ("victim"). Start up X if necessary. Get root using su, then assume the ID of another unpriviledged user ("attacker") using su. Log in as "attacker" remotely or from a console. Locate the -xauth file. Give it to an arbitrary X program using the XAUTHORITY environment variable and set display accordingly. This data can be obtained from the shell that root started. Program should appear on victim's X server. --snap-- SOLUTION Recommendations: ---------------- To solve or mitigate the problem, choose one of: 1) Get updated vendor packages when they appear. Configure re-added ACL functionality not to forward from root (should be default). 2) Disable pam_xauth module for su by commenting out the relevant line in /etc/pam.d/su. If required copy su to "sux" and make an appropriate pam.d entry that retains the old behaviour. 3) If you already have a pam_xauth module with ACL control, change its configuration not to forward X if su is called by root. plus you may want to consider: 4) pam_xauth documentation should clearly state why one shouldn't forward X11 to untrusted accounts. Something along the lines of: "Mind that forwarding X11-cookies to other users basically allows them to gain control over your X session. This is usually not a problem when the target user is root, but can be one when root assumes the id of a possibly untrusted user" 5) Be aware of the possible consequences of propagating X-Cookies to potentially hostile environments. (ssh with -X basically opens the same problem, though it is less readily exploitable there due to the transparent Cookie replacement.)