[Pkg-shadow-devel] Bug#505071: Bug#505071: closed ... fixed in shadow 1:4.1.3-1

Paul Szabo psz at maths.usyd.edu.au
Fri Apr 17 01:18:16 UTC 2009


>> Thus an attacker could:
>>  - cause securetty checks to fail resulting in a DoS, or
>>  - bypass or trick some checks in pam_time or pam_group.
> Please state more clearly ...

We have seen how utmp entries can be "fudged", left behind, with or
without access to group utmp.

Suppose a utmp entry is "fabricated" with "correct" PID etc, and ut_line
set to /tmp/x and /tmp/x made a symlink to the "correct" tty. That entry
will then be used by login; it will set PAM_TTY to /tmp/x, which will
fail securetty checks: resulting in a DoS.

Suppose we see pam_time or pam_group allowing something to (e.g.) tty0.
Then we "fabricate" a utmp entry with ut_line set to /tmp/tty0 and make
/tmp/tty0 point to our tty. Login will set PAM_TTY to /tmp/tty0 and PAM
will give us the goodies.

Please let me know if the above is unclear or insufficient.

Cheers, Paul

Paul Szabo   psz at maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia





More information about the Pkg-shadow-devel mailing list