oss-sec mailing list archives
Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser
From: gremlin () gremlin ru
Date: Sun, 26 Jul 2015 16:33:02 +0300
On 2015-07-23 10:09:54 -0700, Qualys Security Advisory wrote:
We discovered a bug in userhelper, a setuid-root program from the usermode package
That's the requirement #1.
userhelper's chfn() function verifies that the fields it was given on the command-line are sane (i.e., contain no forbidden characters). Unfortunately, these forbidden characters (":,=") do not include '\n' and allow local attackers to inject newline characters into /etc/passwd and alter this file in unexpected ways.
Here comes the requirement #2: adding the line to /etc/passwd must be sufficient for the user to log in.
Our ultimate goal is to inject an arbitrary line into /etc/passwd (for example, the a-line "\na::0:0::/:\n")
In my tests, I used "a::0:0::/:/bin/sh" Obviously enough, these tests have failed with the "Authentication service cannot retrieve authentication info" error as the requirement #2 was not satisfied - all my hosts use TCB password shadowing. Anyway, thank you for a nice catch :-) -- Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru> GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net
Current thread:
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser, (continued)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Dave Horsfall (Jul 25)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Brad Knowles (Jul 25)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Hanno Böck (Jul 26)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser mancha (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Brandon Perry (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser mancha (Jul 27)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Ankeet Presswala (Jul 27)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser z80 (Jul 29)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Solar Designer (Jul 29)