Security hole in pam_krb5-1.0.3

Mon, 10 Feb 2003 08:56:13 -0800 

It appears I've stumbled across a security hole in pam_krb5-1.0.3 . This occurs
in the latest cvs found at

        pserver:[EMAIL PROTECTED]:/cvsroot/pam

When I use the module above on a Solaris 8 machine, I get the following 
behavior:

  <jfh@waterspout:/cise/sys/src0/jfh/kerberos/pam_krb5-1.0> 1876 : su - jfhmtest
  Password for [EMAIL PROTECTED]: 
  waterspout% id
  uid=0(root) gid=50(stdnt) euid=7048(jfhmtest)

The uid of the target user is 0, instead of 7048 . 

When I use the original Cusack module, everything works normally:

  <jfh@waterspout:/cise/sys/src0/jfh/kerberos/pam_krb5-1.0> 1874 : su - jfhmtest
  Password for [EMAIL PROTECTED]: 
  waterspout% id
  uid=7048(jfhmtest) gid=50(stdnt)

I tracked the problem down to the following line in the 1.0.3 version:

  support.c:239: if ((ret = setreuid(state->c_ucred->cr_uid, pw->pw_uid)) != 0) {

I've verified the value of 'state->c_ucred->cr_uid' is indeed 0. If the line is
changed to

  support.c:239: if ((ret = setreuid(pw->pw_uid, pw->pw_uid)) != 0) {

the problem does not occur. A small sample program shows the trivial exploit:

  % cat s.c
  #include <stdio.h>

  int main(int argc, char **argv) { 
      seteuid(0);
      printf("uid %d euid %d\n", getuid(), geteuid());
      system("touch /tmp/newfile");
      system("ls -l /tmp/newfile");
  } 

  % ./s
  uid 0 euid 0
  -rw-r--r--   1 root     stdnt          0 Feb  5 12:13 /tmp/newfile

Attached is my pam.conf, just in case I've made a mistake in setting things up.

----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin                   UF/CISE Department |
| E314D CSE Building                            Phone (352) 392-1499 |
| [EMAIL PROTECTED]                      http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------
#
#ident  "@(#)pam.conf   1.15    00/02/14 SMI"
#
# Copyright (c) 1996-1999 by Sun Microsystems, Inc.
# All rights reserved.
#
# PAM configuration
#
# Authentication management
#
#rlogin auth optional   /usr/lib/security/pam_krb5.so.2 try_first_pass
#dtlogin        auth optional   /usr/lib/security/pam_krb5.so.2 try_first_pass
#dtlogin        account optional /usr/lib/security/pam_krb5.so.2
login   auth required   /usr/lib/security/pam_krb5.so.2 ignore_unknown_upn rootok 
ccache=SAFE
#login  session required /usr/lib/security/pam_krb5.so.2 
#login  auth sufficient /usr/lib/security/pam_krb5.so.2 try_first_pass

cron   auth required   /usr/lib/security/$ISA/pam_unix.so.1
cron   account requisite       /usr/lib/security/$ISA/pam_roles.so.1 
cron   account required        /usr/lib/security/$ISA/pam_unix.so.1 
cron   session required        /usr/lib/security/$ISA/pam_unix.so.1 

other   auth required   /usr/lib/security/pam_krb5.so.2 ignore_unknown_upn rootok 
ccache=SAFE
#other  auth sufficient /usr/lib/security/pam_krb5.so.2 try_first_pass
#other  session required /usr/lib/security/pam_krb5.so.2 

#other  account sufficient /usr/lib/security/pam_krb5.so.2 
#other  password sufficient /usr/lib/security/pam_krb5.so.2 try_first_pass


login   auth sufficient         /usr/lib/security/$ISA/pam_unix.so.1 use_first_pass
#login  auth required   /usr/lib/security/$ISA/pam_dial_auth.so.1 
#
rlogin  auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
rlogin  auth required   /usr/lib/security/$ISA/pam_unix.so.1
#
dtlogin auth required   /usr/lib/security/$ISA/pam_unix.so.1
#
rsh     auth required   /usr/lib/security/$ISA/pam_rhosts_auth.so.1
other   auth sufficient /usr/lib/security/$ISA/pam_unix.so.1 use_first_pass
#
# Account management
#
login   account requisite       /usr/lib/security/$ISA/pam_roles.so.1 
login   account required        /usr/lib/security/$ISA/pam_projects.so.1
login   account required        /usr/lib/security/$ISA/pam_unix.so.1 
#
dtlogin account requisite       /usr/lib/security/$ISA/pam_roles.so.1 
dtlogin account required        /usr/lib/security/$ISA/pam_projects.so.1
dtlogin account required        /usr/lib/security/$ISA/pam_unix.so.1 
#
other   account requisite       /usr/lib/security/$ISA/pam_roles.so.1 
other   account required        /usr/lib/security/$ISA/pam_projects.so.1
other   account required        /usr/lib/security/$ISA/pam_unix.so.1 
#
# Session management
#
other   session required        /usr/lib/security/$ISA/pam_unix.so.1 
#
# Password management
#
other   password required       /usr/lib/security/$ISA/pam_unix.so.1 
dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#login  auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#dtlogin        auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#other  auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#dtlogin        account optional /usr/lib/security/$ISA/pam_krb5.so.1
#other  account optional /usr/lib/security/$ISA/pam_krb5.so.1
#other  session optional /usr/lib/security/$ISA/pam_krb5.so.1
#other  password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass




________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to