Ubuntu closes root hole

Chat about Linux in general

Ubuntu closes root hole

Postby linuxviolin on Wed Jul 14, 2010 9:04 pm

How idiot should you be to have such a root exploit in Ubuntu? http://www.h-online.com/open/news/item/Ubuntu-closes-root-hole-1034618.html (8 July 2010)

A flaw in the module pam_motd (message of the day), which displays the daily motto and other information after login (to the shell), can be exploited under Ubuntu to expand access rights. Attackers can exploit this vulnerability to gain root access. Ubuntu has already provided a patch for the flaw. Operators of multi-users systems should install it as soon as possible because directions are already in circulation via Twitter on how to exploit the flaw to get access rights to the password file /etc/shadow. The file can then not only be read, but changed.

The problem is the result of the excessively high access rights with which pam_motd stores or modifies the file motd.legal-notice in the user's local cache directory after login. That file is designed to show whether the legal notice was displayed, but the module performs that function with root rights. With a symlink from the cache to the password file, the owner can be changed with a new login.

According to the developers, the problem only occurs on Ubuntu; other Linux systems are reportedly not affected. Ubuntu has remedied the flaw by taking root rights away from the module for access to the file motd.legal-notice (under .cache).

Fortunately, Ubuntu closed this root hole but... :roll: It is talk of possibly switching the basis to Debian, right? A good idea I guess... :!: :idea:
K.I.S.S. ===> "Keep It Simple, Stupid"
"Simplicity is the ultimate sophistication." (Leonardo da Vinci)
"Everything should be made as simple as possible, but no simpler." (Albert Einstein)
User avatar
linuxviolin
Level 8
Level 8
 
Posts: 2055
Joined: Tue Feb 27, 2007 6:55 pm
Location: France

Linux Mint is funded by ads and donations.
 

Re: Ubuntu closes root hole

Postby libssd on Wed Jul 14, 2010 9:28 pm

linuxviolin wrote:According to[/url] the developers, the problem only occurs on Ubuntu; other Linux systems are reportedly not affected.[/b] Ubuntu has remedied the flaw by taking root rights away from the module for access to the file motd.legal-notice (under .cache).

This doesn't sound right, as MOTD is enabled by default in Mint, but not in Ubuntu. I found it extremely annoying to get a stupid fortune cookie message every time I opened terminal in Mint.
libssd
Level 4
Level 4
 
Posts: 289
Joined: Tue Jun 22, 2010 11:26 am

Re: Ubuntu closes root hole

Postby linuxviolin on Wed Jul 14, 2010 9:38 pm

libssd wrote:This doesn't sound right, as MOTD is enabled by default in Mint, but not in Ubuntu..

Well, you can be surprised but the problem was there. Read the 3 links in the article... e.g. from the firt link, https://lists.ubuntu.com/archives/ubuntu-security-announce/2010-July/001117.html

[USN-959-1] PAM vulnerability

Ubuntu Security Notice USN-959-1 July 07, 2010
pam vulnerability
CVE-2010-0832
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 9.10
Ubuntu 10.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 9.10:
libpam-modules 1.1.0-2ubuntu1.1

Ubuntu 10.04 LTS:
libpam-modules 1.1.1-2ubuntu5

In general, a standard system update will make all the necessary changes.

Details follow:

Denis Excoffier discovered that the PAM MOTD module in Ubuntu did
not correctly handle path permissions when creating user file stamps.
A local attacker could exploit this to gain root privilieges.


Or the third, http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/karmic/pam/karmic-updates/revision/58:

* SECURITY UPDATE: root privilege escalation via symlink following.
- debian/patches-applied/pam_motd-legal-notice: drop privs for work.
- CVE-2010-0832
K.I.S.S. ===> "Keep It Simple, Stupid"
"Simplicity is the ultimate sophistication." (Leonardo da Vinci)
"Everything should be made as simple as possible, but no simpler." (Albert Einstein)
User avatar
linuxviolin
Level 8
Level 8
 
Posts: 2055
Joined: Tue Feb 27, 2007 6:55 pm
Location: France

Re: Ubuntu closes root hole

Postby Bill Gates on Fri Aug 06, 2010 1:43 am

"I think a better name for PAM might be SCAM, for Swiss Cheese Authentication
Modules, and have never felt that the small amount of convenience it provides
is worth the great loss of system security." -- Patrick Volkerding
Bill Gates
Level 1
Level 1
 
Posts: 25
Joined: Fri Jan 16, 2009 5:07 am


Return to Chat about Linux

Who is online

Users browsing this forum: No registered users and 2 guests