oss-sec mailing list archives

potential OpenPAM vulnerability

From: Sebastian Krahmer <krahmer () suse de>
Date: Tue, 8 Nov 2011 16:56:47 +0100

Hi,

OpenPAM, until recently, was not filtering the service argument of
pam_start() invocations. This can lead to a root compromise.
Note that Linux-PAM is entirely different as forbids anything with '/'
inside.

Please see 

http://c-skills.blogspot.com/2011/11/openpam-trickery.html

for more discussion and PoC.
This most likely affects FreeBSD and Solaris via the kcheckpass
vector.

regards,
Sebastian


-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer () suse de - SuSE Security Team

---
SUSE LINUX Products GmbH,
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
Maxfeldstraße 5
90409 Nürnberg
Germany

Current thread:

potential OpenPAM vulnerability Sebastian Krahmer (Nov 08)
- Re: potential OpenPAM vulnerability Kurt Seifried (Nov 08)