Bug 201507 - CVE-2006-3742 second login attempt by validated user bypasses login passwords
CVE-2006-3742 second login attempt by validated user bypasses login passwords
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: kdebase (Show other bugs)
6
i386 Linux
medium Severity urgent
: ---
: ---
Assigned To: Ngo Than
Ben Levenson
: Reopened, Security
Depends On:
Blocks: 214665
  Show dependency treegraph
 
Reported: 2006-08-06 14:42 EDT by D. Stimits
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version: FC6-update
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-11-02 11:44:21 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description D. Stimits 2006-08-06 14:42:00 EDT
Description of problem:
Using KDM and KDE (not GDM), a regular user must enter a password only once.
After logging out, anyone can log in as that user without a password. Logout
memorizes passwords until the next reboot.

Version-Release number of selected component (if applicable):
kdebase-3.5.3-0.4.fc5

How reproducible:
Always.

Steps to Reproduce:
1. Use KDM and KDE as login manager and setup.
2. Login as a regular user (might work with root if root is allowed, don't know).
3. Logout.
4. Log back in under KDM without entering a password.
  
Actual results:
Login always succeeds until rebooted.

Expected results:
Login should be denied without a password.

Additional info:
Manually running, as root from a console, "init 3" then "init 5" also removes
the password memorization.

I have not tested whether remote logins have this same behavior when set up for
remote KDM.
Comment 1 D. Stimits 2006-08-06 19:25:58 EDT
I also found out that if I log out, then control-alt-F1 to get to a console,
then alt-F7 to get back, it also stops the bug from showing up. It seems to
cache the password so long as the KDM manager itself is not made to give up any
cache it has for the most recent session. It seems that there is some sort of
current session cache that KDM fails to give up after the KDE logout, but other
actions do clear the cache (maybe it isn't cached, but it sure acts the same as
a cache with a buggy mechanism for knowing when to invalidate it).
Comment 3 Josh Bressers 2006-08-23 17:42:10 EDT
I see this behavior with FC5 and FC6t2.

I'm assigning this issue CVE-2006-3742.

There doesn't seem to be an upstream bug for this issue.  If there are no
complaints, I'll forward this issue on to the KDE security team and vendor-sec.
Comment 4 Ngo Than 2006-08-24 07:22:14 EDT
I have tried above steps and cannot reproduce this problem here with current 
fc5 and FC6 (rawhide).

It seems you have enabled kdm autologin, it does not require password if this 
option is enable. This option is disable by default.

could you please check again? Thank
Comment 5 Josh Bressers 2006-08-24 09:21:51 EDT
No autologin is enabled.  I login as myself, logout, then type my username in
and hit enter while the username textbox has focus.  Without entering a password
I am able to login.

The kdm configuration file is the one distributed in the kdebase rpm file.

# rpm -q kdebase
kdebase-3.5.4-0.2.fc5

I did some testing regarding this problem and it didn't manifest itself on
bootup, but only after I did a telinit 3, telinit 5.
Comment 6 Ngo Than 2006-08-24 11:41:44 EDT
i have now reinstalled kdebase-3.5.4-0.2.fc5 and made sure that i use
the kdm configuration in kdebase. 

I login as myself (than), then logout and type my username (than) 
in "Username:" and hit enter, the cursor jumps immediately into "Password:"
I have to enter my correct password here otherwise i got "Login Faild"

Strange! why does it work on my machine?

Could you please send /etc/X11/xdm/kdmrc and /etc/pam.d/kdm?
Comment 7 Josh Bressers 2006-08-24 13:21:03 EDT
Created attachment 134836 [details]
My kdmrc file
Comment 8 Josh Bressers 2006-08-24 13:21:24 EDT
Created attachment 134837 [details]
My /etc/pam.d/kdm file
Comment 9 D. Stimits 2006-08-24 20:02:32 EDT
I not enabled any autologin...perhaps if this is a mistaken default installation
on fedora it would explain it...attaching kdm and kdm-np from pam.d right after
I add this note.

I have to wonder though if this would have an effect on any other console
login...I'm guessing not. In any case, KDM is the only login with this behavior,
and certainly it was not enabled by myself.
Comment 10 D. Stimits 2006-08-24 20:03:44 EDT
Created attachment 134873 [details]
pam.d/kdm fc5

Unmodified by myself.
Comment 11 D. Stimits 2006-08-24 20:05:37 EDT
Created attachment 134874 [details]
pam.d/kdm-np

From fc5, unmodified by myself.
Comment 12 Ngo Than 2006-08-25 07:58:52 EDT
i can now reproduce this bug on my test machine too. It's not a bug in kde 
upstream, but it's a bug in our pam config file. It's only affected in 
FC5/rawhide.

I will push new kdebase in fc5-update and rawhide soon.

Thanks for your report.
Comment 13 Josh Bressers 2006-08-25 08:32:06 EDT
Thanks Than.  Can you give me the fix, I'll at least give the vendor-sec crowd a
heads up (in the event any of them are vulnerable).  Feel free to push updates
whenever you wish.

Please be sure to release the FC5 update as a secuirty update (using the CVE id
in the summary)
Comment 14 Ngo Than 2006-08-25 08:40:58 EDT
here is the fix.

--- kdebase-3.5.4/kde.pamd.redhat       2005-09-10 10:26:16.000000000 +0200
+++ kdebase-3.5.4/kde.pamd      2006-08-25 14:15:02.000000000 +0200
@@ -1,7 +1,9 @@
 #%PAM-1.0
-auth       required    /lib/security/pam_pwdb.so shadow nullok
-auth       required    /lib/security/pam_nologin.so
-account    required    /lib/security/pam_pwdb.so
-password   required    /lib/security/pam_cracklib.so
-password   required    /lib/security/pam_pwdb.so shadow nullok use_authtok
-session    required    /lib/security/pam_pwdb.so
+auth       include     system-auth
+account    required    pam_nologin.so
+account    include     system-auth
+password   include     system-auth
+session    include     system-auth
+session    required    pam_loginuid.so
+session    optional    pam_selinux.so
+session    optional    pam_console.so
Comment 15 D. Stimits 2006-08-26 14:48:23 EDT
Can you point out which config lines of the pam.d files need to be changed for
the interim? It might be useful for a simple configuration issue to simply name
the lines which are causing this.
Comment 16 Mark J. Cox (Product Security) 2006-08-29 04:20:38 EDT
Removing embargo, update was pushed FEDORA-2006-942
Comment 17 Bill Nottingham 2006-10-31 14:15:20 EST
I've just reproduced this on a FC6 box with kdebase-3.5.5-0.1.fc6.
Comment 18 Ngo Than 2006-11-02 11:44:21 EST
oh, it seems the bug is still FC6/RHEL5-Beta. It's now fixed in RHEL5/FC6 CVS.
New package will be built for RHEL5/FC6-update today. Bill, thanks for 
checking that!

Note You need to log in before you can comment on or make changes to this bug.