oss-sec mailing list archives
potential OpenPAM vulnerability
From: Sebastian Krahmer <krahmer () suse de>
Date: Tue, 8 Nov 2011 16:56:47 +0100
Hi, OpenPAM, until recently, was not filtering the service argument of pam_start() invocations. This can lead to a root compromise. Note that Linux-PAM is entirely different as forbids anything with '/' inside. Please see http://c-skills.blogspot.com/2011/11/openpam-trickery.html for more discussion and PoC. This most likely affects FreeBSD and Solaris via the kcheckpass vector. regards, Sebastian -- ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer () suse de - SuSE Security Team --- SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany
Current thread:
- potential OpenPAM vulnerability Sebastian Krahmer (Nov 08)
- Re: potential OpenPAM vulnerability Kurt Seifried (Nov 08)