Bug 461960 (CVE-2008-3825)
Summary: | CVE-2008-3825 pam_krb5 existing_ticket permission flaw | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Josh Bressers <bressers> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | unspecified | CC: | jlieskov, kreilly, nalin, security-response-team, stephane.bertin | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2008-10-04 12:18:04 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 462112, 462113 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Josh Bressers
2008-09-11 17:16:28 UTC
Created attachment 316461 [details]
Patch from nalin
nalin, Can you provide a nice (easy) example reproducer so I can pass it along with the patch to vendor-sec? Thanks As the victim user, obtain a Kerberos TGT. In the PAM configuration for "su", set the "existing_ticket" option by adding it as a parameter for the module when it's called to authenticate the user. (If you're using 2.2.22 or later, you can alternately set "existing_ticket = su" in the "pam" subsection of the "appdefaults" section of krb5.conf.) As the malicious user (who is presumably not able to read the victim's credential cache directly), set the KRB5CCNAME environment variable to point to the victim user's credential cache, and then attempt to use "su" to switch to the victim user's account (if you're prompted for a password by another module which is called before pam_krb5.so is called, you can supply it with any value). The module will read the victim's TGT from the victim's credential cache and accept it, even if the malicious user wouldn't ordinarily have access to the victim's credentials. Nalin, I have tested the patch. It partially solve the bug. The exploitation of the bug with su/sudo is no more possible. The module do not bypass restriction access on TGT file. But if this option is configured for sshd the exploitation is still possible (like describe in my post). It is possible to have access on a system just with information of credential name used by root. The difference now is that with this access the user has not access to TGT file (owner is root) so he cannot have access to TGS. The probability for exploitation is very low because it is necessary : to have existing_ticket option for SSH, root has a valid TGT and to know the credential used by root. At the end, please do not forget to back port the patch for previous release of pam_krb5 (included in RHEL5 and previous). And release updated rpm on RHN. Lifting embargo. pam_krb5-2.2.18-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. pam_krb5-2.3.0-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0907.html Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-8605 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-8618 Please note this flaw does not affect versions of pam_krb5 as shipped in Red Hat Enterprise Linux 2.1, 3, or 4. Those versions of pam_krb5 do not support the existing ticket option. |