Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 21 Nov 2011 20:24:31 GMT
From:      Axel Gonzalez <loox@e-shell.net>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   ports/162735: [patch] privilege escalation with x11/kde4-workspace and openpam
Message-ID:  <201111212024.pALKOVgA037409@red.freebsd.org>
Resent-Message-ID: <201111212030.pALKUBQW072587@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         162735
>Category:       ports
>Synopsis:       [patch] privilege escalation with x11/kde4-workspace and openpam
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Nov 21 20:30:11 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Axel Gonzalez
>Release:        FreeBSD 9.0-RC1
>Organization:
>Environment:
FreeBSD moonlight 9.0-RC1 FreeBSD 9.0-RC1 #0: Fri Oct 28 22:53:45 CDT 2011     toor@moonlight:/usr/obj/usr/src/sys/LXCORE9  i386

>Description:
kcheckpass, as used in OpenPAM in FreeBSD 8.1 and possibly other operating systems, calls the pam_star function with raised privileges, which allows local users to load arbitrary DSOs and execute arbitrary code via a crafted service name.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4122


Note that there have been changes in openpam that prevnt this:

http://trac.des.no/openpam/changeset/493/trunk/lib/openpam_dynamic.c

>How-To-Repeat:
http://c-skills.blogspot.com/2011/11/openpam-trickery.html
>Fix:
Apply the patch to openpam

Or apply this patch in x11/kde4-workspace (this is for 4.7.2):

--- ./kcheckpass/checkpass_pam.c.orig   2011-11-21 13:04:22.000000000 -0600
+++ ./kcheckpass/checkpass_pam.c        2011-11-21 13:11:13.000000000 -0600
@@ -32,6 +32,9 @@
 #include <security/pam_appl.h>
 #endif
 
+/* XXX stat */
+#include <sys/stat.h>
+
 struct pam_data {
   char *(*conv) (ConvRequest, const char *);
   int abort:1;
@@ -146,6 +149,14 @@
   } else {
     /* PAM_data.classic = 1; */
     pam_service = caller;
+
+    /* XXX This a patch to fix elevation privileges, it doesn't fix silly things as wrong pam */
+    struct stat st;
+    if (stat(pam_service, &st) != 0)
+      return (AuthBad);
+
+    if (st.st_uid != 0)
+      return (AuthBad);
   }
   pam_error = pam_start(pam_service, user, &PAM_conversation, &pamh);
   if (pam_error != PAM_SUCCESS)

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201111212024.pALKOVgA037409>