Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 26 Jul 2015 16:33:02 +0300
From: gremlin@...mlin.ru
To: oss-security@...ts.openwall.com
Subject: Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser

On 2015-07-23 10:09:54 -0700, Qualys Security Advisory wrote:

 > We discovered a bug in userhelper, a setuid-root program from
 > the usermode package

That's the requirement #1.

 > userhelper's chfn() function verifies that the fields it was
 > given on the command-line are sane (i.e., contain no forbidden
 > characters).  Unfortunately, these forbidden characters (":,=")
 > do not include '\n' and allow local attackers to inject newline
 > characters into /etc/passwd and alter this file in unexpected ways.

Here comes the requirement #2: adding the line to /etc/passwd must
be sufficient for the user to log in.

 > Our ultimate goal is to inject an arbitrary line into /etc/passwd
 > (for example, the a-line "\na::0:0::/:\n")

In my tests, I used "a::0:0::/:/bin/sh"

Obviously enough, these tests have failed with the "Authentication
service cannot retrieve authentication info" error as the requirement
#2 was not satisfied - all my hosts use TCB password shadowing.

Anyway, thank you for a nice catch :-)


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin  gremlin  ru>
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ