Date: Sun, 26 Jul 2015 16:33:02 +0300 From: gremlin@...mlin.ru To: oss-security@...ts.openwall.com Subject: Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser On 2015-07-23 10:09:54 -0700, Qualys Security Advisory wrote: > We discovered a bug in userhelper, a setuid-root program from > the usermode package That's the requirement #1. > userhelper's chfn() function verifies that the fields it was > given on the command-line are sane (i.e., contain no forbidden > characters). Unfortunately, these forbidden characters (":,=") > do not include '\n' and allow local attackers to inject newline > characters into /etc/passwd and alter this file in unexpected ways. Here comes the requirement #2: adding the line to /etc/passwd must be sufficient for the user to log in. > Our ultimate goal is to inject an arbitrary line into /etc/passwd > (for example, the a-line "\na::0:0::/:\n") In my tests, I used "a::0:0::/:/bin/sh" Obviously enough, these tests have failed with the "Authentication service cannot retrieve authentication info" error as the requirement #2 was not satisfied - all my hosts use TCB password shadowing. Anyway, thank you for a nice catch :-) -- Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru> GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ