[Pkg-shadow-devel] Bug#505071: Bug#505071: closed ... fixed in shadow 1:4.1.3-1
Paul Szabo
psz at maths.usyd.edu.au
Fri Apr 17 01:18:16 UTC 2009
>> Thus an attacker could:
>> - cause securetty checks to fail resulting in a DoS, or
>> - bypass or trick some checks in pam_time or pam_group.
> Please state more clearly ...
We have seen how utmp entries can be "fudged", left behind, with or
without access to group utmp.
Suppose a utmp entry is "fabricated" with "correct" PID etc, and ut_line
set to /tmp/x and /tmp/x made a symlink to the "correct" tty. That entry
will then be used by login; it will set PAM_TTY to /tmp/x, which will
fail securetty checks: resulting in a DoS.
Suppose we see pam_time or pam_group allowing something to (e.g.) tty0.
Then we "fabricate" a utmp entry with ut_line set to /tmp/tty0 and make
/tmp/tty0 point to our tty. Login will set PAM_TTY to /tmp/tty0 and PAM
will give us the goodies.
Please let me know if the above is unclear or insufficient.
Cheers, Paul
Paul Szabo psz at maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
More information about the Pkg-shadow-devel
mailing list