Linux-PAM pam_namespace Local Privilege Escalation Vulnerability
Release date:
Updated on:
Affected Systems:
Linux-PAM <1.1.3
Unaffected system:
Linux-PAM 1.1.3
Description:
--------------------------------------------------------------------------------
Bugtraq id: 44590
Cve id: CVE-2010-3853
The Pluggable Authentication Module (PAM) is used to authenticate users and is used in multiple Linux versions.
The pam_namespace module of Linux-PAM executes the external script namespace from the unchanged environment inherited by calling the PAM application. If the environment is trustworthy (for example, pam_namespace is configured with setuid applications such as su or sudo), local non-privileged users can exploit this vulnerability to improve their permissions.
<* Source: Tomas Marz
Link: http://secunia.com/advisories/42088/
Https://bugzilla.redhat.com/show_bug.cgi? Format = multiple & amp; id = 643043
Https://www.redhat.com/support/errata/RHSA-2010-0819.html
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
1. Add the following to/etc/security/namespace. conf:
/Var/tmp-inst/user ~ Root
2. Add the following to/etc/pam. d/sudo:
Session optional pam_namespace.so
3. Add the following lines in/etc/security/namespace. init:
/Usr/bin/printenv
4. Add a command similar to/usr/bin/id to allow execution in sudoer:
Testuser ALL = (ALL)/usr/bin/id
5. Run sudo/usr/bin/id with testuser.
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
RedHat
------
For this reason, RedHat has released a Security Bulletin (RHSA-2010: 0819-01) and patch:
RHSA-2010: 0819-01: Moderate: pam security update
Link: https://www.redhat.com/support/errata/RHSA-2010-0819.html
Linux-PAM
---------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/ChangeLog? Revision = 1.546 & view = markup & pathrev = Linux-PAM-1_1_3