From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Description of problem: pam-timestamp (as described in the vuln-dev article) allows any user who can trick an setuid program into creating an arbitrary file to create a root account or do anything else which the pam-timestamp utility allows. This escalates any file-creation vulnerability into a local-root exploit. Version-Release number of selected component (if applicable): pam-0.75-48 How reproducible: Always Steps to Reproduce: 1.as youreslf: ln -s /var/run/sudo/$USER/unknown:root /tmp/oops 2: as root: touch /tmp/oops 3: as yourself: open the system-settings/users&groups utility from the redhat menu. 4: Create an account with explicit uid=0 Actual Results: alowed to run program uid=0 Expected Results: pam recognizes the /var/run/sudo/$USER/unknown:root file as a fake. Additional info: The suggested idea of putting some hard-to-create information into the sudo file seems like a good one. Something like: tty=`tty` tty=${tty#/dev/pts/} userinfo="$USER/$tty:root" date=`date +%s` echo $userinfo $date `{ echo $userinfo $date ; cat /etc/ssh/ssh_host_rsa_key ; } | md5sum` > /var/run/sudo/$userinfo would create a reasonably high barrier to entry for any hacker trying to exploit this bug. It's also reasonably easy to verify: datestamp=`awk '{ printf "%s", $2}' /var/run/sudo/$userinfo` echo $userinfo $datestamp `{ echo $userinfo $datestamp ; cat /etc/ssh/ssh_host_rsa_key ; } | md5sum ` | diff - /var/run/sudo/$userinfo I'd also want to compare $datestamp to the modtime on /var/run/sudo/$userinfo to make sure that they were within a couple of seconds of each other (to frustrate replay attacks)
*** This bug has been marked as a duplicate of 98391 ***
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.