Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 426578 - (CVE-2008-0003) CVE-2008-0003 tog-pegasus pam authentication buffer overflow
CVE-2008-0003 tog-pegasus pam authentication buffer overflow
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Vitezslav Crhonek
reported=20071222,impact=critical,pub...
: Security
Depends On: 427210 427211 427212 427213 427214 427828 427829
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-22 09:47 EST by Mark J. Cox
Modified: 2014-11-10 08:31 EST (History)
5 users (show)

See Also:
Fixed In Version: 2.6.0-3.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-11 17:18:11 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
proposed patch from Roger Kumpf (2.62 KB, patch)
2008-01-02 03:55 EST, Mark J. Cox
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0002 normal SHIPPED_LIVE Critical: tog-pegasus security update 2008-01-07 13:38:04 EST

  None (edit)
Description Mark J. Cox 2007-12-22 09:47:56 EST
Whilst investigating a VMWare reported buffer overflow vulnerability (bug
#426568) in the PAM authentication code in the OpenPegasus CIM management server
that didn't affect Red Hat packages, I found another one that did.

This vulnerability can be exploited remotely and results in arbitrary code
execution with the privileges of the cimserver process.  Note that we do ship
with a default SELinux policy for this package.

Current embargo is unset.  Likely to be 2nd week of Jan 2008.
Comment 1 Mark J. Cox 2007-12-22 09:50:10 EST
This is a problem inside PAMBasicAuthenticator::PAMCallback()

                //                                                              
                // copy the user password                                       
                //                                                              
                resp[i]->resp = (char *)malloc(PAM_MAX_MSG_SIZE);
                strcpy(resp[i]->resp, mydata->userPassword);
                resp[i]->resp_retcode = 0;
                break;

But mydata->userPassword is in this case 2000 characters, and PAM_MAX_MSG_SIZE
is 512 leading to a stack buffer overflow.  Exploiting this will be tricky as
ExecShield is in use and we ship a default SELinux targetted policy for this server.

Comment 3 Mark J. Cox 2008-01-02 03:55:30 EST
Created attachment 290635 [details]
proposed patch from Roger Kumpf
Comment 7 Mark J. Cox 2008-01-07 03:26:09 EST
Description for advisory:

During a security audit, a stack buffer overflow flaw was found in the PAM
authentication code in the OpenPegasus CIM management server. An
unauthenticated remote user could trigger this flaw and potentially execute
arbitrary code with root privileges. (CVE-2008-0003)
Comment 8 Mark J. Cox 2008-01-07 03:31:54 EST
Mitigation:

The tog-pegasus package is not installed by default on Red Hat Enterprise Linux.  

tog-pegasus supplied by Red Hat binds only to one port (as plain http is
disabled), port 5989.  The default firewall installed by Red Hat Enterprise
Linux will block remote access to this port.  In normal use it's unlikely you'd
want to have this port accessible outside of an intranet anyway, and it's likely
to be blocked by enterprise border firewalls.

However if tog-pegasus has been installed and unblocked through the fireware,
the Red Hat Security Response Team believes that it would still be hard to
remotely exploit this issue to execute arbitrary code due to the default SELinux
targeted policy on Enterprise Linux 4 and 5, and the SELinux memory protections
enabled by default on Enterprise Linux 5.
Comment 9 Mark J. Cox 2008-01-07 03:42:19 EST
When I found this issue I contacted OpenGroup (by email and phone) and other
possibly affected vendors via vendor-sec and suggested an embargo date of '2nd
week of January', we later clarified this as 'Jan 9th'.  OpenGroup committed a
fix for this issue last week (but without any notice of security implications)
and due to the high severity of this issue we're bringing the embargo forward to
Jan 7th.


http://www.openpegasus.org/pm/show_mail.tpl?CALLER=index.tpl&source=L&listname=pegasus-commit&id=20965&listid=pegasus-commit
http://cvs.opengroup.org/cgi-bin/cvsweb.cgi/pegasus/src/Pegasus/Security/Cimservera/Attic/cimservera.cpp.diff?cvsroot=Pegasus&r1=1.6&r2=1.6.32.1&f=H&only_with_tag=RELEASE_2_6-branch

Comment 10 Mark J. Cox 2008-01-07 03:43:36 EST
After installing the update you need to restart tog-pegasus in the usual way. 
You can do this by running "service tog-pegasus restart"
Comment 12 Mark J. Cox 2008-01-07 13:20:43 EST
opening bug
Comment 14 Tomas Hoger 2008-01-07 13:43:33 EST
Updated packages were released for affected versions of Red Hat Enterprise Linux:

  https://rhn.redhat.com/errata/RHSA-2008-0002.html
Comment 15 Mark J. Cox 2008-01-08 03:41:58 EST
Opening up comment #1 as VMWare have now published their similar flaw in
OpenPegasus, http://marc.info/?l=full-disclosure&m=119975801904357&w=2

See https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-5360
for that issue (which doesn't affect us)
Comment 19 Fedora Update System 2008-01-11 17:18:08 EST
tog-pegasus-2.6.0-3.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2008-01-11 17:26:03 EST
tog-pegasus-2.6.1-3.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.