Linux pam_xauth could allow an attacker to gain privileges

linux-pamxauth-gain-privileges (11254)

High Risk

Description:

The Linux pam_xauth module could allow a local attacker to gain elevated privileges on the system, caused by an insecure default configuration. The pam_xauth module forwards MIT-Magic-Cookies to new X sessions and stores them in the a temporary .xauth file. A local attacker with limited system privileges could steal these cookies and gain root privileges on the system by forcing the root user to use "su" to login as the attacker, which would cause a temporary .xauth file to be created with the attacker's privileges.

Platforms Affected:

• Conectiva, Linux 8.0
• MandrakeSoft, Mandrake Linux 8.1 IA64
• MandrakeSoft, Mandrake Linux 8.1
• MandrakeSoft, Mandrake Linux 8.2 PPC
• MandrakeSoft, Mandrake Linux 8.2
• MandrakeSoft, Mandrake Linux 9.0
• MandrakeSoft, Mandrake Linux Corporate Server 2.1
• MandrakeSoft, Mandrake Multi Network Firewall 8.2
• MandrakeSoft, Mandrake Single Network Firewall 7.2
• RedHat, Enterprise Linux 2.1 ES
• RedHat, Enterprise Linux 2.1 WS
• RedHat, Enterprise Linux 2.1 AS
• RedHat, Linux 7
• RedHat, Linux 7.1
• RedHat, Linux 7.1 for iSeries
• RedHat, Linux 7.1 for pSeries
• RedHat, Linux 7.2
• RedHat, Linux 7.3
• RedHat, Linux 8.0
• RedHat, Linux Advanced Workstation 2.1 Itanium
• Sun, Linux 5.0

Remedy:

For Red Hat Linux: Upgrade to the latest PAM package, as listed below. Refer to RHSA-2003:035-12 for more information. See References.

Red Hat Linux 7.1 for iSeries and pSeries: 0.75-46.7.1 or later
Red Hat Linux 7.2: 0.75-46.7.2 or later
Red Hat Linux 7.3: 0.75-46.7.3 or later
Red Hat Linux 8.0: 0.75-46.8.0 or later

For Mandrake Linux 8.1, 8.2, 9.0, and Multi Network Firewall 8.2, and Corporate Server 2.1:
Upgrade to the latest pam package (0.75-25.1mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2003:017-1:pam. See References.

For Conectiva Linux 8.0:
Upgrade to the latest pam package (0.75-5U80_1cl or later), as listed in Conectiva Linux Security Announcement CLA-2003:693. See References.

For Sun Linux 5.0:
Upgrade to the latest version of pam (0.75-46.7.2 or later), as listed in Sun Alert ID: 55760. See References.

As a workaround, follow the procedures listed in Sun Alert ID: 55760. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Privileges

References:

• BugTraq Mailing List, 2002-12-14 4:48:28, BDT_AV200212140001: Insecure default: Using pam_xauth for su from sh-utils package at http://marc.theaimsgroup.com/?l=bugtraq&m=104431622818954&w=2 .
• CIAC Information Bulletin N-045, Red Hat Updated PAM packages fix bug in pam_xauth Module at http://www.ciac.org/ciac/bulletins/n-045.shtml.
• Conectiva Linux Security Announcement CLA-2003:693, pam at http://www.linuxsecurity.com/content/view/105191/99/. (From LinuxSecurity archive)
• Sun Alert ID: 55760, Sun Linux 5.0 Vulnerability in pam_xauth(8) Module May Allow Forwarding of Root Authorization to Unprivileged Users at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F55760&zone_32=category%3Asecurity.
• BID-6753: PAM pam_xauth Module Unintended X Session Cookie Access Vulnerability
• CVE-2002-1160: The default configuration of the pam_xauth module forwards MIT-Magic-Cookies to new X sessions, which could allow local users to gain root privileges by stealing the cookies from a temporary .xauth file, which is created with the original user's credentials after root uses su.
• MDKSA-2003:017: Updated pam packages fix root authorization handling in pam_xauth module
• MDKSA-2003:017-1: Updated pam packages fix root authorization handling in pam_xauth module
• RHSA-2003-028: pam security update
• RHSA-2003-035: Updated PAM packages fix bug in pam_xauth module
• US-CERT VU#911505: pam_xauth may insecurely forward X MIT-Magic-Cookies to new sessions

Reported:

Feb 03, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page