-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Nth Dimension Security Advisory (NDSA2010907) Date: 7th September 2010 Author: Tim Brown URL: / Product: Linux PAM 1.1.1 Vendor: Thorsten Kukuk Risk: Low Here's another bug where the pam_xauth module isn't checking the return value from setuid(): run_coprocess(const char *input, char **output, uid_t uid, gid_t gid, const char *command, ...) { ... /* Drop privileges. */ setgid(gid); setgroups(0, NULL); setuid(uid) ... execv(command, args); /* Never reached. */ _exit(1); } An attacker with the ability to manipulate the number of processes running on the target account can cause RLIMIT_NPROC to be breached when run_coprocess() is called to execute "xauth merge" as the target user: /* Get the target user's UID and primary GID, which we'll need to set * on the xauthority file we create later on. */ tpwd = pam_modutil_getpwnam(pamh, user); ... run_coprocess(cookie, &tmp, tpwd->pw_uid, tpwd->pw_gid, xauth, "-f", cookiefile, "nmerge", "-", NULL); Whilst I do not believe that this is trivially exploitable, perhaps the code could be refactored to ensure that run_coprocess correctly drops privileges. As things stand any code after the setuid() call at line 131, could be forced to run with inappropriate privileges by an attacker with existing access to the target account by causing RLIMIT_NPROC resource to be breached. Is it just me or does "I fail to see how RLIMIT_NPROC should have any affect on setuid." in the comments seem a touch disconcerting given that it's from the PAM maintainer? I didn't think this warranted a full advisory as I haven't found a useful way to exploit it but Secunia[2], OSVDB[3] and VUPEN[4] amongst others picked it up from a post[5] by me about it to oss-security. Interestingly, the PAM maintainer has now committed a fix[6]. [1] http://sourceforge.net/tracker/?func=detail&aid=3028213&group_id=6663&atid=106663 [2] http://secunia.com/advisories/40978/ [3] http://osvdb.org/show/osvdb/67276 [4] http://www.vupen.com/english/advisories/2010/2121 [5] http://www.openwall.com/lists/oss-security/2010/08/16/2 [6] http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_xauth/pam_xauth.c?revision=1.21&view=markup -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCAAGBQJMhpTaAAoJEPJhpTVyySo7PtUQAKWiUatZmqRg3zwrlkhOhLPx f/EbseKovj3q7MjRIplMEfpMxktxedKi0Ls3zyN3EdCjahmCQwiPKbroZv1wN9QV FuZVUfuCRP54NovlGkKsr5XG1xvve6DT7208ZBkUuzd2i+alEeUAe7izW72xX86F s6NBau+U93cWYhLNMKNB36TuPLzFUloRLe2MPV/XXJ5kKm1s7T81aUnemC2ymNAW EGVwgt96vyQOexGPDGBiF+XnvYG1EP2LGyuWHlRbzId7xKH/MFDqCBAjIAlamPOR FTTLBjkERGzvlbtO32E9s7q4W5nMWIe6bg38CAZ6hClUnpme55Xd8oT4MeqJVShr BxqiBvsSik7x/ZaDN496wA8FUW7fE8RzwbxUKsSq0nP5CynODUB/V5mj3RQ/67pK mDsRth8BnvSJ65qnIbTYW1Byjxw9K1bFb+hbu/5FNyWBVVca2lB9fT++eMKBc58o x04YNYjimq6iCbo08YtL3n4t9gTAsEw/9noF7/LmJ7YzM0UQyce0YZCWMXjJVPjZ W1gUDE3wk458+C9K4cS/nbBJqJ7d1rsCYp2hZew4rgeshdLP0anh0rbmXwLdlusF wbZRYZ/XGWK45utiRtuoF5u1Lv2EcbMv2bWTrnz9yAjNUXcdIE3O6S5migsqU8R0 fw/wbHFFpCXvOxUQ6O2m =XXYa -----END PGP SIGNATURE-----