PAM Vulnerability in Ubuntu allowing root access

[+] openfly|15 years ago|reply

It looks like a user could reset an environment variable, resulting in convincing the PAM module ( running as root ) to write a file somewhere the user should not be able to write. I assume since this could allow root access, it can overwrite something that can be executed as root by another process.

[+] nuclear_eclipse|15 years ago|reply

Actually, from the looks of the tweet linked above, it seems to allow a user to chown an arbitrary system file so that it is owned by him, in that case the shadow file. Having access to the shadow file would allow the user to trivially reset the password for every account on the machine, including root. With that access, a user could then do just about anything to the box, and then reset the password/shadow file back to its old value/permissions so that sysadmins would be none the wiser.

[+] rufugee|15 years ago|reply

Anyone care to describe how this can be used to gain root? I'm running Lucid...it'd be interesting to try the hack on myself before updating...

[+] Kototama|15 years ago|reply

Just one tweet will do it ;-)

https://twitter.com/jonoberheide/status/18009527979

[+] barnaby|15 years ago|reply

Thank you for posting this... I often ignore doing updates because they're just not as interesting as other things I'm doing. This kicked my butt into gear to install the updates.

[+] xpaulbettsx|15 years ago|reply

This is important if you're running a website too - this exploit can be used to take over the machine if the hacker finds a way to execute code as the website (i.e. once they used a different exploit to break in, they would be able to escalate from www-data user to root).

[+] poundy|15 years ago|reply

I am on Ubuntu 10.04, what do I need to do besides updates and "proper" use to remain safe? I don't have an antivirus or anything of that sort!

[+] nuclear_eclipse|15 years ago|reply

Assuming you're still using the default package mirrors, updating is sufficient.

[+] zokier|15 years ago|reply

Is this bug restricted to ubuntu or does it affect debian/rhel etc?

[+] callahad|15 years ago|reply

I can't seem to replicate on a Debian unstable box, where pam hasn't been updated since April [0], but I don't have an Ubuntu box handy to verify that I'm properly trying to exploit it.

[0]: http://packages.qa.debian.org/p/pam.html

[+] billybob|15 years ago|reply

Dumb question - what's PAM? To me that means "phone as modem"...

[+] callahad|15 years ago|reply

Pluggable Authentication Modules. It's an auth framework used by many Linux distributions.

See: http://en.wikipedia.org/wiki/Pluggable_Authentication_Module... and http://en.wikipedia.org/wiki/Linux_PAM

[+] xpaulbettsx|15 years ago|reply

PAM lets you among other things, define new methods of authenticating the user - for example, if I wanted to make my computer log me on whenever it saw my Bluetooth phone in range, I'd write a PAM module

[+] afhof|15 years ago|reply

It didn't work on 9.04, which I guess is good.

18 comments