oss-sec mailing list archives
Re: [Pkg-xfce-devel] Bug#639151: Bug#639151: Bug#639151: Local privilege escalation
From: Yves-Alexis Perez <corsac () debian org>
Date: Fri, 26 Aug 2011 10:58:26 +0200
On ven., 2011-08-26 at 10:43 +0200, Sebastian Krahmer wrote:
Hi, You probably dont take into account the chown() that happens in lightdm. Just unlink the created ~/.dmrc or ~/.Xauthority files after creation and make a symlink to /etc/passwd to chown it to yourself.
The chown will be applied to the symlink, not the target. I've tried to make .Xauthority a symlink to a root-owned file and the destination was indeed destroyed, but it's still root-owned.
However I didnt dig deep enough into it to write an exploit as I dont have a working lightdm setup. The correct behavior is to temporarily drop euid/fsuid to that of the user if doing anything with his files.
Yeah, I'm currently cooking patches doing that, though they'll need review before apply.
The PAM issue that I was curious about was that a pam_start() etc is done for the greeter-user (which I expect to be some "lightdm" user)?
Yes
I would expect all pam_ calls are only done for the user who is actually about to login. The question that came up to me was whether pam_environment from the user would have impact on uid-0 called programs/scripts since you transfer the PAM env to the process env.
Yeah, that looks fishy, though I have no idea how it's exactly cooked that way, we'll have to wait for an answer from Robert. Regards, -- Yves-Alexis
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: [Pkg-xfce-devel] Bug#639151: Bug#639151: Bug#639151: Local privilege escalation Yves-Alexis Perez (Aug 25)
- Re: [Pkg-xfce-devel] Bug#639151: Bug#639151: Bug#639151: Local privilege escalation Sebastian Krahmer (Aug 26)
- Re: [Pkg-xfce-devel] Bug#639151: Bug#639151: Bug#639151: Local privilege escalation Yves-Alexis Perez (Aug 26)
- Re: Re: [Pkg-xfce-devel] Bug#639151: Bug#639151: Bug#639151: Local privilege escalation Yves-Alexis Perez (Aug 26)
- Re: [Pkg-xfce-devel] Bug#639151: Bug#639151: Bug#639151: Local privilege escalation Solar Designer (Aug 26)
- Re: [Pkg-xfce-devel] Bug#639151: Bug#639151: Bug#639151: Local privilege escalation Yves-Alexis Perez (Aug 29)
- Re: [Pkg-xfce-devel] Bug#639151: Bug#639151: Bug#639151: Local privilege escalation Solar Designer (Sep 05)
- Re: [Pkg-xfce-devel] Bug#639151: Bug#639151: Bug#639151: Local privilege escalation Yves-Alexis Perez (Aug 26)
- Re: [Pkg-xfce-devel] Bug#639151: Bug#639151: Bug#639151: Local privilege escalation Sebastian Krahmer (Aug 26)