Bug 637898 (CVE-2010-3316) - CVE-2010-3316 pam: pam_xauth missing return value checks from setuid() and similar calls
Summary: CVE-2010-3316 pam: pam_xauth missing return value checks from setuid() and si...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-3316
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 642348 642349 644797 644798 833947
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-09-27 17:28 UTC by Vincent Danen
Modified: 2019-09-29 12:39 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-08-18 19:16:11 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0819 0 normal SHIPPED_LIVE Moderate: pam security update 2010-11-01 19:49:56 UTC
Red Hat Product Errata RHSA-2010:0891 0 normal SHIPPED_LIVE Moderate: pam security update 2010-11-16 17:51:52 UTC

Description Vincent Danen 2010-09-27 17:28:32 UTC
Tim Brown reported [1] a minor security flaw in pam_xauth where the run_coprocess() function, which is responsible for running 'xauth nlist' as the existing user and 'xauth merge' as the target user does not check the return code on the setuid() call.  An attacker with the ability to manipulate the number of processes running on the target account can cause RLIMIT_NPROC to be breached when run_coprocess() is called to execute 'xauth merge' as the target user.

This issue was assigned the name CVE-2010-3316 [2] and is corrected in Linux-PAM 1.1.2 [3].

It is not believed to be exploitable on current kernels, at least not via RLIMIT_NPROC [4].

[1] https://sourceforge.net/tracker/?func=detail&aid=3028213&group_id=6663&atid=106663
[2] http://www.openwall.com/lists/oss-security/2010/09/24/2
[3] http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commitdiff;h=06f882f30092a39a1db867c9744b2ca8d60e4ad6
[4] http://www.openwall.com/lists/oss-security/2010/09/21/11

Comment 1 Tomas Hoger 2010-10-08 12:32:51 UTC
(In reply to comment #0)
> It is not believed to be exploitable on current kernels, at least not via
> RLIMIT_NPROC [4].

This statement seems to have been made in context of one of the other PAM issues.  In case of pam_xauth, it's easy to trigger setuid() fail using RLIMIT_NPROC for one of the two xauth runs.

pam_xauth runs xauth twice.  First as "source" user, to list their Xauthority file and get session cookie for current X session, using 'xauth nlist'.  Then it runs it as "target" user to merge authentication cookie using 'xauth nmerge'.

pam_xauth is only likely to be set up as PAM check for setuid programs that are run locally, such as su or various GUI configuration utilities started via usermode/consolhelper (e.g. system-config-* tools).  However, kernel does not perform RLIMIT_NPROC check when process tries to setuid() to UID that matches its current (real)UID, which is a common condition for setuid programs.  Program would need to reset its (real)UID before calling setuid() to assume the effective privileges of the invoking user.

If setuid() failure before 'xauth nlist' can be triggered, xauth running as root can be used to read any local file, which can be used to steal other users' X sessions authentication cookies.

It's easy to trigger setuid() fail before 'xauth nmerge' run, target user only needs to run RLIMIT_NPROC processes already (and be non-root user).

This can not be used for trivial destructive symlink attacks such as symlinking ~/.Xauthority to some target file only writeable to root, as pam_xauth creates temporary ~/.xauthXXXXXX instead of changing default ~/.Xauthority.  XAUTHORITY environment variable is set to point to that temporary file.

The file is created by pam_xauth and its name is passed to xauth as command line argument.  Hence it may be possible to race against 'xauth nmerge' and try to replace .xauthXXXXXX file with a symlink.  This still does not allow overwriting arbitrary target file due to the way xauth modifies X authority file - it creates new file with O_EXCL and 600 permission, opens original file for reading to copy its previous content, save all cookies in new file and replace old file with new one.  Use of O_CREAT|O_EXCL blocks symlink attacks against lock and temporary files created by xauth (.xauthXXXXXX{-c,-l,-n}).

It is possible to replace .xauthXXXXXX with symlink and hence read other users' Xautority files (the attack mentioned for 'xauth nlist' above), however stolen cookies will end up with .xauthXXXXXX file owned by root:target-user-group and permission 600, which can not be read by target user.

This problem may be used to turn xauth X authority file reading flaw into privilege escalation issue.

Comment 7 errata-xmlrpc 2010-11-01 19:50:02 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0819 https://rhn.redhat.com/errata/RHSA-2010-0819.html

Comment 8 errata-xmlrpc 2010-11-16 17:52:04 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0891 https://rhn.redhat.com/errata/RHSA-2010-0891.html


Note You need to log in before you can comment on or make changes to this bug.