SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Util-linux Vendors:   [Multiple Authors/Vendors]
Util-linux With PAM Group Limits May Let Remote Users Gain Privileges of a Previous Login Users
SecurityTracker Alert ID:  1002391
SecurityTracker URL:  http://securitytracker.com/id/1002391
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Oct 15 2001
Original Entry Date:  Sep 11 2001
Impact:   Root access via local system, Root access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): util-linux-2.11l and prior
Description:   A vulnerability was reported in Util-linux that could allow an authorized remote user to login and obtain the privileges of the last user that logged in.

It is reported that if there are any limits set for a group of users, then the users in that group can login by any method that uses /bin/login (e.g., console, telnet) to obtain the privileges of the last user that logged in.

The following steps will apparently trigger the vulnerability:

# groupadd testgroup
# useradd testuser -g testgroup
# echo '@testgroup - maxlogins 2'

Then, use ssh to login as root into the target host and then telnet into the host as testuser to obtain root privileges.

[Editor's Note: This was previously reported as a PAM vulnerability but has been reclassified as a Util-linux vulnerability.]

Impact:   A remote authorized user that is part of the specified group with a PAM limit can login to obtain the privileges of the last user that logged in using a login function (such as SSH).
Solution:   No solution was available at the time of this entry.
Vendor URL:  freshmeat.net/projects/util-linux/ (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), UNIX (Any)
Underlying OS Comments:  Tested on RedHat Linux using OpenSSH

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Red Hat Issues Fix) Re: Util-linux With PAM Group Limits May Let Remote Users Gain Privileges of a Previous Login Users
Red Hat has issued a fix.
(Trustix Issues Fix) Util-linux With PAM Group Limits May Let Remote Users Gain Privileges of a Previous Login Users
The vendor has released a fix.
(Red Hat Issues Additional Fix) Util-linux With PAM Group Limits May Let Remote Users Gain Privileges of a Previous Login Users
The vendor has released a fix that includes Red Hat 7.2.
(SuSE Issues Fix) Util-linux With PAM Group Limits May Let Remote Users Gain Privileges of a Previous Login Users
The vendor has released a fix.
(Mandrake Issues Fix) Util-linux With PAM Group Limits May Let Remote Users Gain Privileges of a Previous Login Users
The vendor has released a fix.



 Source Message Contents

Subject:  pam limits drops privileges



	Tested with: RedHat Linux
		pam-0.74-22, pam-0.75-7, util-linux-2.10s,
		util-linux-2.10s-12, in any combination.
	Posted on: Bugzilla and Pam-Bugs.
	Distribution dependent: dunno, but I think it's a pam bug.

	Problem description: If there are any limits set for a group of
users then those users, logging in by any method using /bin/login (console
login, telnet, etc) can get privileges of the last user last logged in
via ssh (we're using openssh).
	How to reproduce:
	# groupadd testgroup
	# useradd testuser -g testgroup
	# echo '@testgroup  -  maxlogins  2'
	ssh (let's say) as root into your box, then telnet into it and
login as testuser... and enjoy.

	I think this is a big problem because It's difficult to manage a
>200 users system without group/user limits.

-- 
Tarhon-Onu Victor
Network and System Engineer
RDS Iasi - Network Operations Center
Phone: +40-32-218385

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC