Date: Tue, 13 Dec 2011 04:39:55 GMT From: Axel Gonzalez <loox@e-shell.net> To: freebsd-gnats-submit@FreeBSD.org Subject: i386/163224: privilege escalation with openpam Message-ID: <201112130439.pBD4dtId023296@red.freebsd.org> Resent-Message-ID: <201112130440.pBD4e9Eo004662@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 163224 >Category: i386 >Synopsis: privilege escalation with openpam >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-i386 >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Dec 13 04:40:09 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Axel Gonzalez >Release: FreeBSD 9.0-RC1 >Organization: >Environment: FreeBSD moonlight 9.0-RC1 FreeBSD 9.0-RC1 #0: Fri Oct 28 22:53:45 CDT 2011 toor@moonlight:/usr/obj/usr/src/sys/LXCORE9 i386 >Description: Directory traversal vulnerability in openpam_configure.c in OpenPAM before r478 on FreeBSD 8.1 allows local users to load arbitrary DSOs and gain privileges via a .. (dot dot) in the service_name argument to the pam_start function, as demonstrated by a .. in the -c option to kcheckpass. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4122 Note that there have been changes in openpam that prevnt this: http://trac.des.no/openpam/changeset/493/trunk/lib/openpam_dynamic.c This problem was previously reported: http://www.freebsd.org/cgi/query-pr.cgi?pr=162735 I'm filling a new PR with openpam as the problem, not kcheckpass (since this PR is closed now). >How-To-Repeat: http://c-skills.blogspot.com/2011/11/openpam-trickery.html >Fix: update to new version >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201112130439.pBD4dtId023296>