| | 1 | = Errata = |
| | 2 | |
| | 3 | == Service name validation == |
| | 4 | |
| | 5 | Date:: 2012-11-08 |
| | 6 | |
| | 7 | Affects:: All releases prior to [[Releases/Lycopsida|Lycopsida]] |
| | 8 | |
| | 9 | References:: http://c-skills.blogspot.com/2011/11/openpam-trickery.html |
| | 10 | |
| | 11 | Description:: Some setuid programs (e.g. KDE's `kcheckpass`) allow the user to specify the service name. Due to insufficient validation in OpenPAM's configuration parser, this can be exploited to load a PAM policy from an arbitrary (user-crafted) file and thus execute arbitrary code with root privileges. |
| | 12 | |
| | 13 | Workaround:: Remove or restrict any program that allows the user to specify the service name. |
| | 14 | |
| | 15 | Fix:: [[Releases/Lycopsida|OpenPAM Lycopsida]] features a completely rewritten configuration parser. If you are unable or unwilling to upgrade, apply the following patch (courtesy of NetBSD's Matthias Drochner): |
| | 16 | {{{ |
| | 17 | --- lib/openpam_configure.c (revision 228464) |
| | 18 | +++ lib/openpam_configure.c (revision 228465) |
| | 19 | @@ -285,6 +285,13 @@ |
| | 20 | size_t len; |
| | 21 | int r; |
| | 22 | |
| | 23 | + /* don't allow to escape from policy_path */ |
| | 24 | + if (strchr(service, '/')) { |
| | 25 | + openpam_log(PAM_LOG_ERROR, "invalid service name: %s", |
| | 26 | + service); |
| | 27 | + return (-PAM_SYSTEM_ERR); |
| | 28 | + } |
| | 29 | + |
| | 30 | for (path = openpam_policy_path; *path != NULL; ++path) { |
| | 31 | len = strlen(*path); |
| | 32 | if ((*path)[len - 1] == '/') { |
| | 33 | }}} |
