Changes between Initial Version and Version 1 of Errata/2011-11-08


Ignore:
Timestamp:
Oct 22, 2014, 11:15:35 AM (7 years ago)
Author:
Dag-Erling Smørgrav
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • Errata/2011-11-08

    v1 v1  
     1== Errata: Service name validation ==
     2
     3 Date:: 2011-11-08
     4
     5 Affects:: All releases prior to [[Releases/Lycopsida|Lycopsida]]
     6
     7 References:: http://c-skills.blogspot.com/2011/11/openpam-trickery.html
     8
     9 Description:: Some setuid programs (e.g. KDE's `kcheckpass`) allow the user to specify the service name.  Due to insufficient validation in OpenPAM's configuration parser, this can be exploited to load a PAM policy from an arbitrary (user-crafted) file and thus execute arbitrary code with root privileges.
     10
     11 Workaround:: Remove or restrict any program that allows the user to specify the service name.
     12
     13 Fix:: [[Releases/Lycopsida|OpenPAM Lycopsida]] features a completely rewritten configuration parser.  If you are unable or unwilling to upgrade, apply the following patch (courtesy of NetBSD's Matthias Drochner):
     14 {{{
     15--- lib/openpam_configure.c     (revision 228464)
     16+++ lib/openpam_configure.c     (revision 228465)
     17@@ -285,6 +285,13 @@
     18        size_t len;
     19        int r;
     20 
     21+       /* don't allow to escape from policy_path */
     22+       if (strchr(service, '/')) {
     23+               openpam_log(PAM_LOG_ERROR, "invalid service name: %s",
     24+                   service);
     25+               return (-PAM_SYSTEM_ERR);
     26+       }
     27+
     28        for (path = openpam_policy_path; *path != NULL; ++path) {
     29                len = strlen(*path);
     30                if ((*path)[len - 1] == '/') {
     31 }}}