| 2010-07-26 15:46:42 |
Stephane Chazelas |
bug |
|
|
added bug |
| 2010-10-02 00:14:10 |
Kees Cook |
pam (Ubuntu): assignee |
|
Dustin Kirkland (kirkland) |
|
| 2010-10-02 00:14:17 |
Kees Cook |
pam (Ubuntu): status |
New |
Confirmed |
|
| 2010-10-02 00:14:27 |
Kees Cook |
pam (Ubuntu): importance |
Undecided |
Low |
|
| 2010-10-02 00:14:43 |
Kees Cook |
bug |
|
|
added subscriber Dustin Kirkland |
| 2010-10-02 00:14:53 |
Kees Cook |
bug |
|
|
added subscriber Steve Langasek |
| 2010-12-04 16:23:20 |
Dustin Kirkland |
pam (Ubuntu): assignee |
Dustin Kirkland (kirkland) |
|
|
| 2011-04-27 17:12:47 |
Jamie Strandboge |
pam (Ubuntu): status |
Confirmed |
Triaged |
|
| 2011-04-27 18:23:28 |
Dustin Kirkland |
attachment added |
|
610125.patch https://bugs.launchpad.net/ubuntu/+source/pam/+bug/610125/+attachment/2091922/+files/610125.patch |
|
| 2011-04-27 20:44:03 |
Dustin Kirkland |
nominated for series |
|
Ubuntu Lucid |
|
| 2011-04-27 20:44:03 |
Dustin Kirkland |
bug task added |
|
pam (Ubuntu Lucid) |
|
| 2011-04-27 20:44:03 |
Dustin Kirkland |
nominated for series |
|
Ubuntu Maverick |
|
| 2011-04-27 20:44:03 |
Dustin Kirkland |
bug task added |
|
pam (Ubuntu Maverick) |
|
| 2011-04-27 20:44:03 |
Dustin Kirkland |
nominated for series |
|
Ubuntu Oneiric |
|
| 2011-04-27 20:44:03 |
Dustin Kirkland |
nominated for series |
|
Ubuntu P-series |
|
| 2011-04-27 20:44:03 |
Dustin Kirkland |
nominated for series |
|
Ubuntu Natty |
|
| 2011-04-27 20:44:03 |
Dustin Kirkland |
bug task added |
|
pam (Ubuntu Natty) |
|
| 2011-04-27 20:44:22 |
Dustin Kirkland |
pam (Ubuntu Maverick): status |
New |
Triaged |
|
| 2011-04-27 20:44:25 |
Dustin Kirkland |
pam (Ubuntu Lucid): status |
New |
Triaged |
|
| 2011-04-27 20:44:31 |
Dustin Kirkland |
pam (Ubuntu Maverick): importance |
Undecided |
Low |
|
| 2011-04-27 20:44:33 |
Dustin Kirkland |
pam (Ubuntu Lucid): importance |
Undecided |
Low |
|
| 2011-04-27 20:44:36 |
Dustin Kirkland |
pam (Ubuntu Lucid): assignee |
|
Dustin Kirkland (kirkland) |
|
| 2011-04-27 20:44:38 |
Dustin Kirkland |
pam (Ubuntu Maverick): assignee |
|
Dustin Kirkland (kirkland) |
|
| 2011-04-27 20:44:39 |
Dustin Kirkland |
pam (Ubuntu Natty): assignee |
|
Dustin Kirkland (kirkland) |
|
| 2011-04-27 20:44:42 |
Dustin Kirkland |
pam (Ubuntu Lucid): milestone |
|
lucid-updates |
|
| 2011-04-27 20:44:45 |
Dustin Kirkland |
pam (Ubuntu Maverick): milestone |
|
maverick-updates |
|
| 2011-04-27 20:44:47 |
Dustin Kirkland |
pam (Ubuntu Natty): milestone |
|
natty-updates |
|
| 2011-04-27 20:45:21 |
Jamie Strandboge |
bug task added |
|
pam (Ubuntu Oneiric) |
|
| 2011-04-27 20:45:28 |
Jamie Strandboge |
pam (Ubuntu Oneiric): status |
New |
Triaged |
|
| 2011-04-27 20:45:30 |
Jamie Strandboge |
pam (Ubuntu Oneiric): importance |
Undecided |
Low |
|
| 2011-04-27 20:45:43 |
Jamie Strandboge |
pam (Ubuntu Oneiric): assignee |
|
Dustin Kirkland (kirkland) |
|
| 2011-05-03 12:21:23 |
Dustin Kirkland |
pam (Ubuntu Oneiric): status |
Triaged |
In Progress |
|
| 2011-05-03 12:21:26 |
Dustin Kirkland |
pam (Ubuntu Natty): status |
Triaged |
In Progress |
|
| 2011-05-03 12:21:28 |
Dustin Kirkland |
pam (Ubuntu Maverick): status |
Triaged |
In Progress |
|
| 2011-05-03 12:21:30 |
Dustin Kirkland |
pam (Ubuntu Lucid): status |
Triaged |
In Progress |
|
| 2011-05-03 12:50:12 |
Launchpad Janitor |
pam (Ubuntu Oneiric): status |
In Progress |
Fix Released |
|
| 2011-05-03 13:13:50 |
Dustin Kirkland |
description |
ii libpam-modules 1.1.1-2ubuntu5 Pluggable Authentication Modules for PAM
(lucid amd64)
pam_motd calls the scripts in /etc/update-motd.d/ as root without sanitising the environment. While that is acceptable when called for instance by sshd or by getty through login where the environment should be controlled, it becomes an issue if for instance "session optional pam_motd.so" is added to /etc/pam.d/su
With that done, a user can simply update his $PATH to look first in a directory that contains malicious replacements for commands called by the /etc/update-motd.d/ scripts (for instance "uname" called by 00_header).
pam_motd should perform the same kind of sanitisation as pam_exec, or even better not do the run-part /etc/update-motd.d/ at all but add some pam_exec calls to the pam configuration.
That issue is made worth by the fact that the running of those scripts by pam_motd is not documented. |
ii libpam-modules 1.1.1-2ubuntu5 Pluggable Authentication Modules for PAM
(lucid amd64)
pam_motd calls the scripts in /etc/update-motd.d/ as root without sanitising the environment. While that is acceptable when called for instance by sshd or by getty through login where the environment should be controlled, it becomes an issue if for instance "session optional pam_motd.so" is added to /etc/pam.d/su
With that done, a user can simply update his $PATH to look first in a directory that contains malicious replacements for commands called by the /etc/update-motd.d/ scripts (for instance "uname" called by 00_header).
pam_motd should perform the same kind of sanitisation as pam_exec, or even better not do the run-part /etc/update-motd.d/ at all but add some pam_exec calls to the pam configuration.
That issue is made worse by the fact that the running of those scripts by pam_motd is not documented.
[SRU JUSTIFICATION]
IMPACT
This bug affects those who might have manually modified their PAM configuration to add something like "session optional pam_motd.so" to a pam configuration in pam.d, such as /etc/pam.d/su, where the user controls the environment prior to executing the PAM stack. If so, the user can elevate her privileges to root by simply modifying her PATH to look in a directory that contains a malicious replacement for any of the programs called by the shell scripts in /etc/update-motd.d, such as 'uname'. Note that default Ubuntu installs are NOT affected, as pam_motd only runs in sshd and login PAM stacks, where the environment is already well controlled.
HOW ADDRESSED
The bug is trivially fixed by wrapping the run-parts shell call with an env -i, which clears the entire environment, and manually sets the PATH variable (to the same value lifted from /etc/login.defs.
PATCH
See the patch attached to this bug. It applies equally to all of the affected Ubuntu versions.
REPRODUCE INSTRUCTIONS
To test, add $HOME/bin to the path of non-root user 'kirkland'. Add a shell script, $HOME/bin/uname which does a "date >> /root/howdy". I then add "session optional pam_motd.so" to the end of /etc/pam.d/su. Before installing patched pam, su and definite see the file /root/howdy created (verifying the vulnerability). After applying and installing patched pam, you should not see /root/howdy created.
REGRESSION POTENTIAL
As far as I could tell, the rest of the update-motd part of pam_motd seemed to work correctly without regression. In the absolute worst case, /etc/motd might not be updated correctly, which is obviously not ideal, but hardly critical functionality to system operation. |
|
| 2011-05-03 13:14:01 |
Dustin Kirkland |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2011-05-03 13:15:39 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/pam |
|
| 2011-05-03 13:16:25 |
Dustin Kirkland |
pam (Ubuntu Lucid): status |
In Progress |
Fix Committed |
|
| 2011-05-03 13:16:26 |
Dustin Kirkland |
pam (Ubuntu Maverick): status |
In Progress |
Fix Committed |
|
| 2011-05-03 13:16:28 |
Dustin Kirkland |
pam (Ubuntu Natty): status |
In Progress |
Fix Committed |
|
| 2011-05-03 23:12:41 |
Clint Byrum |
bug |
|
|
added subscriber SRU Verification |
| 2011-05-03 23:12:45 |
Clint Byrum |
tags |
|
verification-needed |
|
| 2011-05-04 00:24:15 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/lucid-proposed/pam |
|
| 2011-05-04 00:24:18 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/maverick-proposed/pam |
|
| 2011-05-04 00:24:20 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/natty-proposed/pam |
|
| 2011-05-04 05:24:22 |
Martin Pitt |
visibility |
private |
public |
|
| 2011-10-13 20:19:00 |
Kees Cook |
bug task added |
|
pam (Ubuntu Precise) |
|
| 2011-10-13 20:19:10 |
Kees Cook |
pam (Ubuntu Precise): status |
Fix Released |
Triaged |
|
| 2011-10-13 20:19:13 |
Kees Cook |
pam (Ubuntu Oneiric): status |
Fix Released |
Triaged |
|
| 2011-10-13 20:19:16 |
Kees Cook |
pam (Ubuntu Natty): status |
Fix Committed |
Triaged |
|
| 2011-10-13 20:19:18 |
Kees Cook |
pam (Ubuntu Maverick): status |
Fix Committed |
Triaged |
|
| 2011-10-13 20:19:20 |
Kees Cook |
pam (Ubuntu Lucid): status |
Fix Committed |
Triaged |
|
| 2011-10-13 20:21:05 |
Kees Cook |
pam (Ubuntu Oneiric): milestone |
|
oneiric-updates |
|
| 2011-10-13 20:21:11 |
Kees Cook |
pam (Ubuntu Precise): milestone |
natty-updates |
|
|
| 2011-10-13 23:04:23 |
Dustin Kirkland |
attachment added |
|
610125.patch https://bugs.launchpad.net/ubuntu/+source/pam/+bug/610125/+attachment/2541599/+files/610125.patch |
|
| 2011-10-18 21:57:01 |
Marc Deslauriers |
cve linked |
|
2011-3628 |
|
| 2012-04-13 15:42:01 |
Jamie Strandboge |
pam (Ubuntu Maverick): status |
Triaged |
Won't Fix |
|
| 2012-11-02 11:48:18 |
Jamie Strandboge |
pam (Ubuntu Natty): status |
Triaged |
Won't Fix |
|
| 2012-11-02 12:25:01 |
Renard henri |
bug |
|
|
added subscriber Renard henri |
| 2012-11-02 12:25:07 |
Renard henri |
removed subscriber Renard henri |
|
|
|
| 2012-11-02 12:25:16 |
Renard henri |
bug |
|
|
added subscriber Renard henri |
| 2012-11-12 04:09:24 |
Launchpad Janitor |
branch linked |
|
lp:~abone/ubuntu/quantal/pam/abone |
|
| 2013-01-18 10:03:35 |
Niko Ehrenfeuchter |
bug |
|
|
added subscriber Niko Ehrenfeuchter |
| 2013-02-14 21:43:57 |
Dustin Kirkland |
pam (Ubuntu Precise): status |
Triaged |
Fix Released |
|
| 2013-02-14 21:46:17 |
Dustin Kirkland |
pam (Ubuntu Oneiric): status |
Triaged |
Fix Released |
|
| 2013-02-14 21:46:52 |
Dustin Kirkland |
pam (Ubuntu): status |
Triaged |
Fix Released |
|
| 2013-02-14 21:49:02 |
Dustin Kirkland |
pam (Ubuntu Lucid): status |
Triaged |
Fix Released |
|
