237003 – (CVE-2007-1859) CVE-2007-1859 xscreensaver authentication bypass

Bug 237003 (CVE-2007-1859) - CVE-2007-1859 xscreensaver authentication bypass

Summary: CVE-2007-1859 xscreensaver authentication bypass

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2007-1859
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-04-18 20:16 UTC by Josh Bressers
Modified:	2019-09-29 12:20 UTC (History)
CC List:	1 user (show)
Fixed In Version:	RHSA-2007-0322
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-05-02 14:26:30 UTC
Embargoed:

Attachments	(Terms of Use)
check for null passwd entry from getpwuid (451 bytes, patch) 2007-04-18 20:28 UTC, Ray Strode [halfline]	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2007:0322	0	normal	SHIPPED_LIVE	Moderate: xscreensaver security update	2008-01-07 15:17:33 UTC

Description Josh Bressers 2007-04-18 20:16:41 UTC

Alex Yamauchi reported a flaw in the way xscreensaver behaves when
authenticating against LDAP and having suffered a long term network outage.

Due to a flaw in the way xscreensaver parses a call to getpwuid(getuid()), a
local user can unlock the screen using any password.

Comment 1 Josh Bressers 2007-04-18 20:18:10 UTC

This flaw should also affect RHEL 2.1 and 3

Comment 2 Ray Strode [halfline] 2007-04-18 20:28:02 UTC

Created attachment 152950 [details]
check for null passwd entry from getpwuid

something like this work (although it hasn't been tested yet)

Comment 3 Ray Strode [halfline] 2007-04-18 21:43:09 UTC

xscreensaver-4.18-5.rhel4.14 built into RHEL-4-embargo . I can confirm it fixes
the problem.

Comment 4 Josh Bressers 2007-04-18 22:29:47 UTC

Ray, What about RHEL 2.1 and 3?

Comment 5 Ray Strode [halfline] 2007-04-19 03:27:54 UTC

They are xscreensaver-3.33-4.rhel21.4 and xscreensaver-4.10-21.el3 respectively.

Comment 6 Ray Strode [halfline] 2007-04-20 01:19:14 UTC

By the way, you can test this by:

1) su -c "scp username.redhat.com:/etc/krb* /etc"
2) running authconfig
3) choosing LDAP and Kerberos (but not LDAP for authentication) and making sure
NIS is unchecked.  For LDAP put ldap.boston.redhat.com and you don't need to use TLS
4) running getent passwd.  You should see all red hat accounts in the output
5) editing /etc/ldap.conf and setting the bind_timelimit to 1 or a small number
6) logging in
7) run xscreensaver-command -lock
8) pull the networking cable
9) move the mouse and wait for the dialog to come up.  After a long time it (i
went to lunch and came back) it will eventually come up with "???".
10) type any password and watch xscreensaver crash, unlocking the screen

If you add a step

7.5)  sss into the machine and run su -c "/sbin/ifdown eth0" then I don't think
you'll have to wait as long in step 9

Comment 8 Ondrej Hudlicky 2007-04-23 10:36:48 UTC

Repruducer comment for Stable System testing: 
Pulling the cable not needed, just config iptables/firewall 

8) iptables -A -s ldap.boston.redhat.com -j DROP
flaw reproducible in approx. 5 min

Comment 11 Josh Bressers 2007-05-02 13:36:36 UTC

This flaw is public with the release of xscreensaver 5.02

Comment 12 Red Hat Bugzilla 2007-05-02 14:26:30 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0322.html

Note You need to log in before you can comment on or make changes to this bug.