SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Util-linux Vendors:   [Multiple Authors/Vendors]
(Trustix Issues Fix) Util-linux With PAM Group Limits May Let Remote Users Gain Privileges of a Previous Login Users
SecurityTracker Alert ID:  1002571
SecurityTracker URL:  http://securitytracker.com/id/1002571
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 18 2001
Impact:   Root access via local system, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): util-linux-2.11l and prior
Description:   A vulnerability was reported in Util-linux that could allow an authorized remote user to login and obtain the privileges of the last user that logged in.

It is reported that if there are any limits set for a group of users, then the users in that group can login by any method that uses /bin/login (e.g., console, telnet) to obtain the privileges of the last user that logged in.

The following steps will apparently trigger the vulnerability:

# groupadd testgroup
# useradd testuser -g testgroup
# echo '@testgroup - maxlogins 2'

Then, use ssh to login as root into the target host and then telnet into the host as testuser to obtain root privileges.

[Editor's Note: This was previously reported as a PAM vulnerability but has been reclassified as a Util-linux vulnerability.]

Impact:   A remote authorized user that is part of the specified group with a PAM limit can login to obtain the privileges of the last user that logged in using a login function (such as SSH).
Solution:   The vendor has released a fix, available at:

<URI:http://www.trustix.net/pub/Trustix/updates/>
<URI:ftp://ftp.trustix.net/pub/Trustix/updates/>

Users of the SWUP tool can have updates automatically installed using 'swup --upgrade'.

MD5sums of the packages:
ebdfde806ab5d2d67c25ffd1a90bb8aa ./1.5/SRPMS/util-linux-2.11f-6tr.src.rpm
d96660d42ee2901c18577e26616cabdf ./1.5/RPMS/util-linux-2.11f-6tr.i586.rpm
4a7a357bf1ad7e7999a39c508326b155 ./1.5/RPMS/mount-2.11f-6tr.i586.rpm
94dc41a4acf854f7bfff2276393ccd04 ./1.5/RPMS/losetup-2.11f-6tr.i586.rpm

Vendor URL:  freshmeat.net/projects/util-linux/ (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Trustix)
Underlying OS Comments:  Tested on RedHat Linux using OpenSSH

Message History:   This archive entry is a follow-up to the message listed below.
Sep 11 2001 Util-linux With PAM Group Limits May Let Remote Users Gain Privileges of a Previous Login Users



 Source Message Contents

Subject:  TSLSA-2001-0025 - util-linux


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2001-0025

Package name:      Util-linux
Summary:           Possible to gain some other user's credentials
Date:              2001-10-17
Affected versions: TSL 1.5

- --------------------------------------------------------------------------

Problem description:
  The "login" program in util-linux stored the user's credentials in a
  static buffer that could later be reused in other PAM calls issued on
  behalf of other users.  This could lead to a user gaining access to
  other accounts.
  Note that this is not possible by default.

Action:
  We recommend that all systems with this package installed are upgraded.


Location:
  All TSL updates are available from
  <URI:http://www.trustix.net/pub/Trustix/updates/>
  <URI:ftp://ftp.trustix.net/pub/Trustix/updates/>


Automatic updates:
  Users of the SWUP tool, can enjoy having updates automatically
  installed using 'swup --upgrade'.

  Get SWUP from:
  <URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/>


Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.net/support/>


Verification:
  This advisory along with all TSL packages are signed with the TSL sign key.
  This key available from:
  <URI:http://www.trustix.net/TSL-GPG-KEY>

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.net/errata/trustix-1.5/>
  or directly at
  <URI:http://www.trustix.net/errata/misc/2001/TSL-2001-0024-postfix.asc.txt>

MD5sums of the packages:
- --------------------------------------------------------------------------
ebdfde806ab5d2d67c25ffd1a90bb8aa  ./1.5/SRPMS/util-linux-2.11f-6tr.src.rpm
d96660d42ee2901c18577e26616cabdf  ./1.5/RPMS/util-linux-2.11f-6tr.i586.rpm
4a7a357bf1ad7e7999a39c508326b155  ./1.5/RPMS/mount-2.11f-6tr.i586.rpm
94dc41a4acf854f7bfff2276393ccd04  ./1.5/RPMS/losetup-2.11f-6tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7zYOTwRTcg4BxxS0RAvQ7AJwJEhZEWjPZ0pN1TIaaqFkOUIs7gACfTrpt
JIfWCjwVk0Q2BHt7mRJMJ1s=
=LPnb
-----END PGP SIGNATURE-----

_______________________________________________
tsl-announce mailing list
tsl-announce@trustix.org
http://www.trustix.org/mailman/listinfo.cgi/tsl-announce


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC