Fortunately, Ubuntu closed this root hole but... It is talk of possibly switching the basis to Debian, right? A good idea I guess...A flaw in the module pam_motd (message of the day), which displays the daily motto and other information after login (to the shell), can be exploited under Ubuntu to expand access rights. Attackers can exploit this vulnerability to gain root access. Ubuntu has already provided a patch for the flaw. Operators of multi-users systems should install it as soon as possible because directions are already in circulation via Twitter on how to exploit the flaw to get access rights to the password file /etc/shadow. The file can then not only be read, but changed.
The problem is the result of the excessively high access rights with which pam_motd stores or modifies the file motd.legal-notice in the user's local cache directory after login. That file is designed to show whether the legal notice was displayed, but the module performs that function with root rights. With a symlink from the cache to the password file, the owner can be changed with a new login.
According to the developers, the problem only occurs on Ubuntu; other Linux systems are reportedly not affected. Ubuntu has remedied the flaw by taking root rights away from the module for access to the file motd.legal-notice (under .cache).
Ubuntu closes root hole
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 6 months after creation.
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 6 months after creation.
- linuxviolin
- Level 8
- Posts: 2081
- Joined: Tue Feb 27, 2007 6:55 pm
- Location: France
Ubuntu closes root hole
How idiot should you be to have such a root exploit in Ubuntu? http://www.h-online.com/open/news/item/ ... 34618.html (8 July 2010)
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
K.I.S.S. ===> "Keep It Simple, Stupid"
"Simplicity is the ultimate sophistication." (Leonardo da Vinci)
"Everything should be made as simple as possible, but no simpler." (Albert Einstein)
"Simplicity is the ultimate sophistication." (Leonardo da Vinci)
"Everything should be made as simple as possible, but no simpler." (Albert Einstein)
Re: Ubuntu closes root hole
This doesn't sound right, as MOTD is enabled by default in Mint, but not in Ubuntu. I found it extremely annoying to get a stupid fortune cookie message every time I opened terminal in Mint.linuxviolin wrote:According to[/url] the developers, the problem only occurs on Ubuntu; other Linux systems are reportedly not affected.[/b] Ubuntu has remedied the flaw by taking root rights away from the module for access to the file motd.legal-notice (under .cache).
- linuxviolin
- Level 8
- Posts: 2081
- Joined: Tue Feb 27, 2007 6:55 pm
- Location: France
Re: Ubuntu closes root hole
Well, you can be surprised but the problem was there. Read the 3 links in the article... e.g. from the firt link, https://lists.ubuntu.com/archives/ubunt ... 01117.htmllibssd wrote:This doesn't sound right, as MOTD is enabled by default in Mint, but not in Ubuntu..
Or the third, http://bazaar.launchpad.net/~ubuntu-bra ... evision/58:[USN-959-1] PAM vulnerability
Ubuntu Security Notice USN-959-1 July 07, 2010
pam vulnerability
CVE-2010-0832
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 9.10
Ubuntu 10.04 LTS
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 9.10:
libpam-modules 1.1.0-2ubuntu1.1
Ubuntu 10.04 LTS:
libpam-modules 1.1.1-2ubuntu5
In general, a standard system update will make all the necessary changes.
Details follow:
Denis Excoffier discovered that the PAM MOTD module in Ubuntu did
not correctly handle path permissions when creating user file stamps.
A local attacker could exploit this to gain root privilieges.
* SECURITY UPDATE: root privilege escalation via symlink following.
- debian/patches-applied/pam_motd-legal-notice: drop privs for work.
- CVE-2010-0832
K.I.S.S. ===> "Keep It Simple, Stupid"
"Simplicity is the ultimate sophistication." (Leonardo da Vinci)
"Everything should be made as simple as possible, but no simpler." (Albert Einstein)
"Simplicity is the ultimate sophistication." (Leonardo da Vinci)
"Everything should be made as simple as possible, but no simpler." (Albert Einstein)
Re: Ubuntu closes root hole
"I think a better name for PAM might be SCAM, for Swiss Cheese Authentication
Modules, and have never felt that the small amount of convenience it provides
is worth the great loss of system security." -- Patrick Volkerding
Modules, and have never felt that the small amount of convenience it provides
is worth the great loss of system security." -- Patrick Volkerding