Bug 98650 - pam-timestamp allows root escalation
pam-timestamp allows root escalation
Status: CLOSED DUPLICATE of bug 98391
Product: Red Hat Linux
Classification: Retired
Component: pam (Show other bugs)
9
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jindrich Novy
Jay Turner
http://www.security-focus.com/archive...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-07-06 15:31 EDT by Stephen Samuel
Modified: 2015-01-07 19:05 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-02-21 13:56:57 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Stephen Samuel 2003-07-06 15:31:03 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624

Description of problem:
pam-timestamp (as described in the vuln-dev article) allows any user
who can trick an setuid program into creating an arbitrary file to 
create a root account or do anything else which the pam-timestamp 
utility allows.

This escalates any file-creation vulnerability into a local-root exploit.



Version-Release number of selected component (if applicable):
pam-0.75-48

How reproducible:
Always

Steps to Reproduce:
1.as youreslf:
     ln -s /var/run/sudo/$USER/unknown:root /tmp/oops
2: as root:
     touch /tmp/oops
3: as yourself: open the system-settings/users&groups utility from 
the redhat menu. 
4: Create an account with explicit uid=0

Actual Results:  alowed to run program uid=0

Expected Results:  pam recognizes the /var/run/sudo/$USER/unknown:root file as a
fake.

Additional info:

The suggested idea of putting some hard-to-create information into the sudo file
seems like a good one.  
Something like:

tty=`tty`
tty=${tty#/dev/pts/}
userinfo="$USER/$tty:root" 
date=`date +%s`
    echo $userinfo $date `{ echo   $userinfo $date ; cat
/etc/ssh/ssh_host_rsa_key ; } | md5sum` > /var/run/sudo/$userinfo         

would create a reasonably high barrier to entry for any hacker trying to exploit
this bug. It's also reasonably  easy to verify:

datestamp=`awk '{ printf "%s", $2}'  /var/run/sudo/$userinfo`

echo $userinfo $datestamp  `{ echo $userinfo $datestamp ;  cat
/etc/ssh/ssh_host_rsa_key ; } | md5sum ` | diff - /var/run/sudo/$userinfo 

I'd also want to compare $datestamp to the modtime on /var/run/sudo/$userinfo 
 to make sure that they were within a couple of seconds of each other (to
frustrate replay attacks)
Comment 1 Jindrich Novy 2004-09-17 09:53:38 EDT

*** This bug has been marked as a duplicate of 98391 ***
Comment 2 Red Hat Bugzilla 2006-02-21 13:56:57 EST
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.