Bug 201507
| Summary: | CVE-2006-3742 second login attempt by validated user bypasses login passwords | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | D. Stimits <stimits> |
| Component: | kdebase | Assignee: | Than Ngo <than> |
| Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
| Severity: | urgent | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6 | CC: | notting, security-response-team |
| Target Milestone: | --- | Keywords: | Reopened, Security |
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | FC6-update | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-11-02 16:44:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 214665 | ||
|
Description
D. Stimits
2006-08-06 18:42:00 UTC
I also found out that if I log out, then control-alt-F1 to get to a console, then alt-F7 to get back, it also stops the bug from showing up. It seems to cache the password so long as the KDM manager itself is not made to give up any cache it has for the most recent session. It seems that there is some sort of current session cache that KDM fails to give up after the KDE logout, but other actions do clear the cache (maybe it isn't cached, but it sure acts the same as a cache with a buggy mechanism for knowing when to invalidate it). I see this behavior with FC5 and FC6t2. I'm assigning this issue CVE-2006-3742. There doesn't seem to be an upstream bug for this issue. If there are no complaints, I'll forward this issue on to the KDE security team and vendor-sec. I have tried above steps and cannot reproduce this problem here with current fc5 and FC6 (rawhide). It seems you have enabled kdm autologin, it does not require password if this option is enable. This option is disable by default. could you please check again? Thank No autologin is enabled. I login as myself, logout, then type my username in and hit enter while the username textbox has focus. Without entering a password I am able to login. The kdm configuration file is the one distributed in the kdebase rpm file. # rpm -q kdebase kdebase-3.5.4-0.2.fc5 I did some testing regarding this problem and it didn't manifest itself on bootup, but only after I did a telinit 3, telinit 5. i have now reinstalled kdebase-3.5.4-0.2.fc5 and made sure that i use the kdm configuration in kdebase. I login as myself (than), then logout and type my username (than) in "Username:" and hit enter, the cursor jumps immediately into "Password:" I have to enter my correct password here otherwise i got "Login Faild" Strange! why does it work on my machine? Could you please send /etc/X11/xdm/kdmrc and /etc/pam.d/kdm? Created attachment 134836 [details]
My kdmrc file
Created attachment 134837 [details]
My /etc/pam.d/kdm file
I not enabled any autologin...perhaps if this is a mistaken default installation on fedora it would explain it...attaching kdm and kdm-np from pam.d right after I add this note. I have to wonder though if this would have an effect on any other console login...I'm guessing not. In any case, KDM is the only login with this behavior, and certainly it was not enabled by myself. Created attachment 134873 [details]
pam.d/kdm fc5
Unmodified by myself.
Created attachment 134874 [details]
pam.d/kdm-np
From fc5, unmodified by myself.
i can now reproduce this bug on my test machine too. It's not a bug in kde upstream, but it's a bug in our pam config file. It's only affected in FC5/rawhide. I will push new kdebase in fc5-update and rawhide soon. Thanks for your report. Thanks Than. Can you give me the fix, I'll at least give the vendor-sec crowd a heads up (in the event any of them are vulnerable). Feel free to push updates whenever you wish. Please be sure to release the FC5 update as a secuirty update (using the CVE id in the summary) here is the fix. --- kdebase-3.5.4/kde.pamd.redhat 2005-09-10 10:26:16.000000000 +0200 +++ kdebase-3.5.4/kde.pamd 2006-08-25 14:15:02.000000000 +0200 @@ -1,7 +1,9 @@ #%PAM-1.0 -auth required /lib/security/pam_pwdb.so shadow nullok -auth required /lib/security/pam_nologin.so -account required /lib/security/pam_pwdb.so -password required /lib/security/pam_cracklib.so -password required /lib/security/pam_pwdb.so shadow nullok use_authtok -session required /lib/security/pam_pwdb.so +auth include system-auth +account required pam_nologin.so +account include system-auth +password include system-auth +session include system-auth +session required pam_loginuid.so +session optional pam_selinux.so +session optional pam_console.so Can you point out which config lines of the pam.d files need to be changed for the interim? It might be useful for a simple configuration issue to simply name the lines which are causing this. Removing embargo, update was pushed FEDORA-2006-942 I've just reproduced this on a FC6 box with kdebase-3.5.5-0.1.fc6. oh, it seems the bug is still FC6/RHEL5-Beta. It's now fixed in RHEL5/FC6 CVS. New package will be built for RHEL5/FC6-update today. Bill, thanks for checking that! |