F-Secure
Tools
pam-krb5 File Overwrite and Privilege Escalation
| Report ID: | SA200900809 |
| Source: | Secunia |
| Date of Discovery: | 17.02.2009 |
| Criticality: | Low |
| Affects: | pam-krb5 3.x |
| Compromise From: | Local system |
| Compromise Type: | Manipulation of data Privilege escalation |
Summary
Some vulnerabilities have been reported in pam-krb5, which can be exploited by malicious, local users to overwrite files and to gain escalated privileges.
Detailed Description
1) An error exists due to pam-krb5 not using the correct API for initialising the Kerberos libraries in a setuid context. This can be exploited to bypass authentication checks in setuid applications that use PAM for authentication by specifying the Kerberos configuration via environment variables.
2) An error exists in "pam_setcred" when being invoked with "PAM_REINITIALIZE_CREDS" or "PAM_REFRESH_CREDS" by a setuid application without first calling "PAM_ESTABLISH_CREDS" or dropping privileges (e.g. "su" in Solaris 10). This can be exploited to overwrite and chown a file specified via the "KRB5CCNAME" environment variable.
The vulnerabilities are reported in versions prior to 3.13.
2) An error exists in "pam_setcred" when being invoked with "PAM_REINITIALIZE_CREDS" or "PAM_REFRESH_CREDS" by a setuid application without first calling "PAM_ESTABLISH_CREDS" or dropping privileges (e.g. "su" in Solaris 10). This can be exploited to overwrite and chown a file specified via the "KRB5CCNAME" environment variable.
The vulnerabilities are reported in versions prior to 3.13.
Solution
Update to version 3.13.