3 Errata 2011 11 08
Dag-Erling Smørgrav edited this page 2023-06-26 18:04:27 +00:00

Errata: Service name validation

Date:: 2011-11-08

Affects:: All releases prior to Lycopsida

References:: http://c-skills.blogspot.com/2011/11/openpam-trickery.html

Description:: Some setuid programs (e.g. KDE's kcheckpass) allow the user to specify the service name. Due to insufficient validation in OpenPAM's configuration parser, this can be exploited to load a PAM policy from an arbitrary (user-crafted) file and thus execute arbitrary code with root privileges.

Workaround:: Remove or restrict any program that allows the user to specify the service name.

Fix:: OpenPAM Lycopsida features a completely rewritten configuration parser. If you are unable or unwilling to upgrade, apply the following patch (courtesy of NetBSD's Matthias Drochner):

--- lib/openpam_configure.c	(revision 228464)
+++ lib/openpam_configure.c	(revision 228465)
@@ -285,6 +285,13 @@
 	size_t len;
 	int r;
 
+	/* don't allow to escape from policy_path */
+	if (strchr(service, '/')) {
+		openpam_log(PAM_LOG_ERROR, "invalid service name: %s",
+		    service);
+		return (-PAM_SYSTEM_ERR);
+	}
+
 	for (path = openpam_policy_path; *path != NULL; ++path) {
 		len = strlen(*path);
 		if ((*path)[len - 1] == '/') {