Bug 426578 (CVE-2008-0003)
Summary: | CVE-2008-0003 tog-pegasus pam authentication buffer overflow | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Mark J. Cox <mjc> | ||||
Component: | vulnerability | Assignee: | Vitezslav Crhonek <vcrhonek> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | urgent | Docs Contact: | |||||
Priority: | urgent | ||||||
Version: | unspecified | CC: | fenlason, jrusnack, kreilly, nalin, security-response-team | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | 2.6.0-3.fc7 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2008-01-11 22:18:11 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 427210, 427211, 427212, 427213, 427214, 427828, 427829 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Mark J. Cox
2007-12-22 14:47:56 UTC
This is a problem inside PAMBasicAuthenticator::PAMCallback() // // copy the user password // resp[i]->resp = (char *)malloc(PAM_MAX_MSG_SIZE); strcpy(resp[i]->resp, mydata->userPassword); resp[i]->resp_retcode = 0; break; But mydata->userPassword is in this case 2000 characters, and PAM_MAX_MSG_SIZE is 512 leading to a stack buffer overflow. Exploiting this will be tricky as ExecShield is in use and we ship a default SELinux targetted policy for this server. Created attachment 290635 [details]
proposed patch from Roger Kumpf
Description for advisory: During a security audit, a stack buffer overflow flaw was found in the PAM authentication code in the OpenPegasus CIM management server. An unauthenticated remote user could trigger this flaw and potentially execute arbitrary code with root privileges. (CVE-2008-0003) Mitigation: The tog-pegasus package is not installed by default on Red Hat Enterprise Linux. tog-pegasus supplied by Red Hat binds only to one port (as plain http is disabled), port 5989. The default firewall installed by Red Hat Enterprise Linux will block remote access to this port. In normal use it's unlikely you'd want to have this port accessible outside of an intranet anyway, and it's likely to be blocked by enterprise border firewalls. However if tog-pegasus has been installed and unblocked through the fireware, the Red Hat Security Response Team believes that it would still be hard to remotely exploit this issue to execute arbitrary code due to the default SELinux targeted policy on Enterprise Linux 4 and 5, and the SELinux memory protections enabled by default on Enterprise Linux 5. When I found this issue I contacted OpenGroup (by email and phone) and other possibly affected vendors via vendor-sec and suggested an embargo date of '2nd week of January', we later clarified this as 'Jan 9th'. OpenGroup committed a fix for this issue last week (but without any notice of security implications) and due to the high severity of this issue we're bringing the embargo forward to Jan 7th. http://www.openpegasus.org/pm/show_mail.tpl?CALLER=index.tpl&source=L&listname=pegasus-commit&id=20965&listid=pegasus-commit http://cvs.opengroup.org/cgi-bin/cvsweb.cgi/pegasus/src/Pegasus/Security/Cimservera/Attic/cimservera.cpp.diff?cvsroot=Pegasus&r1=1.6&r2=1.6.32.1&f=H&only_with_tag=RELEASE_2_6-branch After installing the update you need to restart tog-pegasus in the usual way. You can do this by running "service tog-pegasus restart" opening bug Updated packages were released for affected versions of Red Hat Enterprise Linux: https://rhn.redhat.com/errata/RHSA-2008-0002.html Opening up comment #1 as VMWare have now published their similar flaw in OpenPegasus, http://marc.info/?l=full-disclosure&m=119975801904357&w=2 See https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-5360 for that issue (which doesn't affect us) tog-pegasus-2.6.0-3.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. tog-pegasus-2.6.1-3.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. |