Bug 746619 (CVE-2011-3148) - CVE-2011-3148 pam (pam_env): Stack-based buffer overflow by parsing user's pam_environment file
Summary: CVE-2011-3148 pam (pam_env): Stack-based buffer overflow by parsing user's pa...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-3148
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 767503 865990
Blocks: 746631 855229
TreeView+ depends on / blocked
 
Reported: 2011-10-17 10:06 UTC by Jan Lieskovsky
Modified: 2023-05-12 11:57 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-02-22 04:33:43 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0521 0 normal SHIPPED_LIVE Moderate: pam security, bug fix, and enhancement update 2013-02-20 21:28:50 UTC

Description Jan Lieskovsky 2011-10-17 10:06:01 UTC 
A stack-based buffer overflow flaw was found in the way the pam_env module of PAM (Pluggable Authentication Modules) security tool parsed content of user's ~/.pam_environment file for additional environment variables (the leading whitespace was not count into the count of bytes, which have been read into the buffer), when both pam_env module and reading of the user specific environment file were enabled. A local attacker could use this flaw to crash the pam_env module, or, potentially escalate their privileges.
Comment 1 Jan Lieskovsky 2011-10-17 10:08:00 UTC 
Acknowledgements:

Red Hat would like to thank Kees Cook of Google ChromeOS Team for reporting this issue.
Comment 8 Huzaifa S. Sidhpurwala 2011-10-18 05:03:03 UTC 
pam_env shipped in Red Hat Enterprise Linux 4 and Red Hat Enterprise Linux 5 does not support user defined environment files. Hence this issue does not affect Red Hat Enterprise Linux 4 and Red Hat Enterprise Linux 5.
Comment 9 Huzaifa S. Sidhpurwala 2011-10-18 05:10:10 UTC 
pam in Red Hat Enterprise Linux 6 disables reading user-supplied environment variables by default.

From the man file:

user_readenv=0|1
Turns on or off the reading of the user specific environment file. 0 is off, 1 is on. By default this option is off as user supplied environment variables in the PAM environment could affect behavior of subsequent modules in the stack without the consent of the system administrator.

From the code:
modules/pam_env/pam_env.c:13
#define DEFAULT_USER_READ_ENVFILE 0

This means that the admin will have to explicitly enable reading user-defined env. files via user_readenv=1 in the pam config file.

Same goes for Fedora
Comment 19 Huzaifa S. Sidhpurwala 2011-10-21 04:42:46 UTC 
This issue does not affect the version of pam package, as shipped with Fedora 14 and 15.
Comment 20 Jan Lieskovsky 2011-10-25 12:50:19 UTC 
Public via:
[1] https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874469

Relevant upstream patch is:
[2] http://git.fedorahosted.org/git/?p=linux-pam.git;a=commitdiff;h=caf5e7f61c8d9288daa49b4f61962e6b1239121d
Comment 21 john.haxby@oracle.com 2011-12-12 12:20:04 UTC 
I don't understand why this is closed NOTABUG.   The bug can be uncovered by setting the documented "user_readenv=1".   Just because the system does not ship with the necessary setting does not mean that the bug does not exist.

Unfortunately I am not able to reopen this bug, but I strongly recommend that you revisit this decision and if the you choose to leave it unopened you need to justify yourself.
Comment 23 john.haxby@oracle.com 2011-12-12 13:28:13 UTC 
Also, if this is NOTABUG then CVE-2011-3149 (bug 746620) needs to be closed NOTABUG as well, in spite of fixes upstream.
Comment 24 Huzaifa S. Sidhpurwala 2011-12-14 08:50:14 UTC 
(In reply to comment #23)
> Also, if this is NOTABUG then CVE-2011-3149 (bug 746620) needs to be closed
> NOTABUG as well, in spite of fixes upstream.

Both are different issues. This is a crash, CVE-2011-3149 is DoS
Comment 25 Huzaifa S. Sidhpurwala 2011-12-14 08:56:33 UTC 
(In reply to comment #21)
> I don't understand why this is closed NOTABUG.   The bug can be uncovered by
> setting the documented "user_readenv=1".   Just because the system does not
> ship with the necessary setting does not mean that the bug does not exist.
> 
> Unfortunately I am not able to reopen this bug, but I strongly recommend that
> you revisit this decision and if the you choose to leave it unopened you need
> to justify yourself.

We dont ship the configuration need to exploit this bug by default. But that is not the reason why this bug is closed. The crash is caught by SSP, which aborts the application and stops the buffer from overwriting the function return value.

However there may be other (more difficult) ways to exploit this issue, like guessing the canary values etc. Thus i am re-opening this issue.
Comment 27 Huzaifa S. Sidhpurwala 2011-12-14 09:02:23 UTC 
Created pam tracking bugs for this issue

Affects: fedora-all [bug 767503]
Comment 37 Huzaifa S. Sidhpurwala 2013-01-17 04:30:01 UTC 
The version of pam package as shipped with Red Hat Enterprise Linux 5 do not support reading user specific environment file. (default is ~/.pam_environment).

In Red Hat Enterprise Linux 6, reading user-supplied environment variables by default is explicitly disabled and will need to be enabled by adding "user_readenv=1" to the pam configuration file. (This can only be done as root). Even if the above option is enabled, the stack-based buffer overflow is caught by FORTIFY_SOURCE and hence is limited to application crash only.

Statement:

This issue did not affect the versions of pam package as shipped with Red Hat Enterprise Linux 5.
Comment 38 errata-xmlrpc 2013-02-21 10:36:36 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0521 https://rhn.redhat.com/errata/RHSA-2013-0521.html
Note You need to log in before you can comment on or make changes to this bug.