SecuriTeam - Linux Pluggable Authentication Modules (PAM) insecurity.

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

Linux Pluggable Authentication Modules provide a way to develop programs that are independent of authentication scheme. The programs use "authentication modules" that attach at run-time.
These modules are vulnerable to an attack which might be exploited to gain read/write permissions to the /etc/shadow file.

Credit:
The vulnerability was found by: Michal Zalewski.
To learn more about Linux PAM go to here:
http://www.kernel.org/pub/linux/libs/pam/FAQ.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Linux Pluggable Authentication Modules version 0.64-2 (as well as previous ones), are vulnerable to an attack which may be exploited to gain read/write permissions to the /etc/shadow file.
This vulnerability exists on any Linux with PAM + PAM compliant passwd utility. Note: RedHat 5.x distribution isn't vulnerable, because this module is obsolete with newer, universal pam_pwdb.so. A bug in pam_unix_passwd.so (shipped with the distribution) is still present.

A detailed description of the vulnerability:
The default password change routine in pam_unix_passwd.so module (called from passwd utility), creates a temporary file /etc/nshadow using fopen(). Unfortunately, the process's umask isn't changed. After approx. 3 syscalls, chmod is called to set proper mode on this file (0600). But, for these 3 syscalls, file permissions are equal to 0666 ~ umask. If umask of current process (which is inherited from parent process, of course) is set to 0, we have /etc/nshadow file with permissions 0666. Then, after all, it's moved using rename() to /etc/shadow.

A trace output for critical part of code:
2957 open("/etc/nshadow", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 8
[...]
2957 chown("/etc/nshadow", 0, 0) = 0
2957 chmod("/etc/nshadow", 0600) = 0
[...]
2957 rename("/etc/nshadow", "/etc/shadow") = 0

An example of an impact of this bug follows:

$ umask 0
$ echo $$
3023
$ exec passwd
Changing password for lcamtuf
(current) UNIX password:
New UNIX password:

# gdb passwd 3023
Attaching to program `/usr/bin/passwd', process 3023
[...]
0x400c37b4 in __read ()
(gdb) break chown
Breakpoint 1 at 0x400c4480
(gdb) c
Continuing.

Retype new UNIX password:

Breakpoint 1, 0x400c4480 in chown ()

# ls -la /etc/nshadow
-rw-rw-rw- 1 root root 0 Dec 4 11:56 /etc/nshadow

This is a typical race condition, and is considered as exploitable.

To fix this you can do any of the following:
1) chmod -s /usr/bin/passwd (this is no permanent fix, but rather a temporary fix).
2) add umask(077), into the source code of the module, because the file is created.

	Trango Broadband Wireless Rogue SU Authentication Bug
	Exposing HMS HICP Protocol and Intellicom NetBiterConfig.exe Remote Buffer Overflow
	Family Connections Multiple Remote Vulnerabilities
	VideoCache vccleaner Root Vulnerability
	QuickHeal Antivirus 2010 Local Privilege Escalation
	DubSite CMS Cross Site Request Forgery Vulnerability
	SonicWall Global Management System XSS Vulnerability
	Sonicwall NSA E7500 XSS Vulnerability
	Juniper Security Threat Response Manager XSS Vulnerability
	Hacking CSRF Tokens using CSS History Hack
	Sun Java System Identiy Manager Users Enumeration
	Microsoft Internet Explorer XML Buffer Overflow (Exploit)
	Opera file:// Overflow
	Stack-Based Buffer Overflow in the Network Manager of Castle Rock Computing (SNMPc)
	PacketTrap TFTPD DoS