Bug 637898 - (CVE-2010-3316) CVE-2010-3316 pam: pam_xauth missing return value checks from setuid() and similar calls
CVE-2010-3316 pam: pam_xauth missing return value checks from setuid() and si...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 642348 642349 644797 644798 833947
  Show dependency treegraph
Reported: 2010-09-27 13:28 EDT by Vincent Danen
Modified: 2015-07-31 02:31 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-08-18 15:16:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2010-09-27 13:28:32 EDT
Tim Brown reported [1] a minor security flaw in pam_xauth where the run_coprocess() function, which is responsible for running 'xauth nlist' as the existing user and 'xauth merge' as the target user does not check the return code on the setuid() call.  An attacker with the ability to manipulate the number of processes running on the target account can cause RLIMIT_NPROC to be breached when run_coprocess() is called to execute 'xauth merge' as the target user.

This issue was assigned the name CVE-2010-3316 [2] and is corrected in Linux-PAM 1.1.2 [3].

It is not believed to be exploitable on current kernels, at least not via RLIMIT_NPROC [4].

[1] https://sourceforge.net/tracker/?func=detail&aid=3028213&group_id=6663&atid=106663
[2] http://www.openwall.com/lists/oss-security/2010/09/24/2
[3] http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commitdiff;h=06f882f30092a39a1db867c9744b2ca8d60e4ad6
[4] http://www.openwall.com/lists/oss-security/2010/09/21/11
Comment 1 Tomas Hoger 2010-10-08 08:32:51 EDT
(In reply to comment #0)
> It is not believed to be exploitable on current kernels, at least not via

This statement seems to have been made in context of one of the other PAM issues.  In case of pam_xauth, it's easy to trigger setuid() fail using RLIMIT_NPROC for one of the two xauth runs.

pam_xauth runs xauth twice.  First as "source" user, to list their Xauthority file and get session cookie for current X session, using 'xauth nlist'.  Then it runs it as "target" user to merge authentication cookie using 'xauth nmerge'.

pam_xauth is only likely to be set up as PAM check for setuid programs that are run locally, such as su or various GUI configuration utilities started via usermode/consolhelper (e.g. system-config-* tools).  However, kernel does not perform RLIMIT_NPROC check when process tries to setuid() to UID that matches its current (real)UID, which is a common condition for setuid programs.  Program would need to reset its (real)UID before calling setuid() to assume the effective privileges of the invoking user.

If setuid() failure before 'xauth nlist' can be triggered, xauth running as root can be used to read any local file, which can be used to steal other users' X sessions authentication cookies.

It's easy to trigger setuid() fail before 'xauth nmerge' run, target user only needs to run RLIMIT_NPROC processes already (and be non-root user).

This can not be used for trivial destructive symlink attacks such as symlinking ~/.Xauthority to some target file only writeable to root, as pam_xauth creates temporary ~/.xauthXXXXXX instead of changing default ~/.Xauthority.  XAUTHORITY environment variable is set to point to that temporary file.

The file is created by pam_xauth and its name is passed to xauth as command line argument.  Hence it may be possible to race against 'xauth nmerge' and try to replace .xauthXXXXXX file with a symlink.  This still does not allow overwriting arbitrary target file due to the way xauth modifies X authority file - it creates new file with O_EXCL and 600 permission, opens original file for reading to copy its previous content, save all cookies in new file and replace old file with new one.  Use of O_CREAT|O_EXCL blocks symlink attacks against lock and temporary files created by xauth (.xauthXXXXXX{-c,-l,-n}).

It is possible to replace .xauthXXXXXX with symlink and hence read other users' Xautority files (the attack mentioned for 'xauth nlist' above), however stolen cookies will end up with .xauthXXXXXX file owned by root:target-user-group and permission 600, which can not be read by target user.

This problem may be used to turn xauth X authority file reading flaw into privilege escalation issue.
Comment 7 errata-xmlrpc 2010-11-01 15:50:02 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0819 https://rhn.redhat.com/errata/RHSA-2010-0819.html
Comment 8 errata-xmlrpc 2010-11-16 12:52:04 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0891 https://rhn.redhat.com/errata/RHSA-2010-0891.html

Note You need to log in before you can comment on or make changes to this bug.