Bug 98391 – pam_timestamp_check.so privilege escalation

Bug 98391 - pam_timestamp_check.so privilege escalation

Summary:	pam_timestamp_check.so privilege escalation

Status:	CLOSED CURRENTRELEASE

Aliases:	None

Product:	Red Hat Linux
Classification:	Retired
Component:	pam (Show other bugs)
Sub Component:
Version:	9
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Jindrich Novy
QA Contact:
Docs Contact:

URL:	http://marc.theaimsgroup.com/?l=full-...
Whiteboard:
Keywords:	Security

Duplicates:	98650 98651 104641 (view as bug list)
Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2003-07-02 06:58 EDT by Mark J. Cox (Product Security)
Modified:	2013-07-02 18:58 EDT (History)
CC List:	5 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2004-09-21 05:11:32 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Mark J. Cox (Product Security) 2003-07-02 06:58:54 EDT

Reported to Bugtraq on Jul02 that pam_timestamp_check can be used to gain
privileges if a local attacker can create a file in /var/run/sudo.  The file
contents are not checked so any tmp file creation vulnerabilty can be used to
create such a file.

A solution would be to check for some particular content in the ticket file (as
any vulnerability that allows arbitrary contents to be written to arbitrary
files has greater security implications).

Comment 1 Mark J. Cox (Product Security) 2003-07-02 10:01:49 EDT

Just to clarify this issue: what the reporter found is that if you can find a
temporary file creation vulnerability which lets a user create an arbitrary
named file as root (for an example see
http://rhn.redhat.com/errata/RHSA-2003-039.html) then you can utilise the issue
found in the pam_timestamp_check module to gain root privileges.

Comment 2 Mark J. Cox (Product Security) 2003-07-07 04:19:54 EDT

*** Bug 98651 has been marked as a duplicate of this bug. ***

Comment 3 Mark J. Cox (Product Security) 2003-07-07 04:23:22 EDT

We're working on an update where a key is created when first needed and stored
in the /var/run/sudo files along with the timestamp (so the file timestamp also
does not need to be trusted).

Comment 4 Stephen Samuel 2003-07-13 09:06:57 EDT

This is somewhat related to bug #99058 (userhelper needs 'remember password' box)

Comment 5 Mark J. Cox (Product Security) 2004-04-30 05:41:06 EDT

*** Bug 104641 has been marked as a duplicate of this bug. ***

Comment 6 Jindrich Novy 2004-09-17 09:53:45 EDT

*** Bug 98650 has been marked as a duplicate of this bug. ***

Comment 7 Jindrich Novy 2004-09-21 05:11:32 EDT

This is already fixed in current releases.

Note You need to log in before you can comment on or make changes to this bug.