Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser

[gremlin () gremlin ru]

On 2015-07-23 10:09:54 -0700, Qualys Security Advisory wrote:

> We discovered a bug in userhelper, a setuid-root program from
> the usermode package

That's the requirement #1.

> userhelper's chfn() function verifies that the fields it was
> given on the command-line are sane (i.e., contain no forbidden
> characters).  Unfortunately, these forbidden characters (":,=")
> do not include '\n' and allow local attackers to inject newline
> characters into /etc/passwd and alter this file in unexpected ways.

Here comes the requirement #2: adding the line to /etc/passwd must
be sufficient for the user to log in.

> Our ultimate goal is to inject an arbitrary line into /etc/passwd
> (for example, the a-line "\na::0:0::/:\n")

In my tests, I used "a::0:0::/:/bin/sh"

Obviously enough, these tests have failed with the "Authentication
service cannot retrieve authentication info" error as the requirement
#2 was not satisfied - all my hosts use TCB password shadowing.

Anyway, thank you for a nice catch :-)


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net