Bug 48788 (CVE-2003-0690)

Summary:	VUL-0: CVE-2003-0690: XDM: root access in conjunction with kerberos
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Thomas Biege <thomas>
Component:	Incidents	Assignee:	Thomas Biege <thomas>
Status:	RESOLVED FIXED	QA Contact:	E-mail List <qa-bugs>
Severity:	Normal
Priority:	P3 - Medium	CC:	security-team, sndirsch
Version:	unspecified
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	CVE-2003-0690: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	patchinfo patchinfo for the box products patchinfo-box.xf86 patchinfo.xf86

Description Thomas Biege 2004-01-02 18:26:16 UTC

Hi, 
this bug was fixed in KDM but it seems to affect XDM too. 
 
 
--- 
Von: 	Mandrake Linux Security Team <security@linux-mandrake.com> 
An: 	bugtraq@securityfocus.com 
Betreff: 	MDKSA-2003:118 - Updated XFree86 packages fix xdm 
vulnerability 
Datum: 	19 Dec 2003 12:35:56 -0000	 
-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
 
 _______________________________________________________________________ 
 
                Mandrake Linux Security Update Advisory 
 _______________________________________________________________________ 
 
 Package name:           XFree86 
 Advisory ID:            MDKSA-2003:118 
 Date:                   December 19th, 2003 
 
 Affected versions:      9.0, 9.1, 9.2, Corporate Server 2.1 
 ______________________________________________________________________ 
 
 Problem Description: 
 
 A vulnerability was discovered in the XDM display manager that ships 
 with XFree86.  XDM does not check for successful completion of the 
 pam_setcred() call and in the case of error conditions in the 
 installed PAM modules, XDM may grant local root access to any user 
 with valid login credentials.  It has been reported that a certain 
 configuration of the MIT pam_krb5 module can result in a failing 
 pam_setcred() call which leaves the session alive and would provide 
 root access to any regular user.  It is also possible that this 
 vulnerability can likewise be exploited with other PAM modules in a 
 similar manner. 
  
 A backported patch from XFree86 4.3 that corrects this vulnerability 
 has been applied to these updated packages. 
 _______________________________________________________________________ 
 
 References: 
 
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0690 
[...] 
---

Comment 1 Thomas Biege 2004-01-02 18:26:16 UTC

<!-- SBZ_reproduce  -->
-

Comment 2 Thomas Biege 2004-01-02 20:49:32 UTC

Created attachment 15566 [details]
patchinfo

Comment 3 Thomas Biege 2004-01-02 20:51:21 UTC

Created attachment 15567 [details]
patchinfo for the box products

Comment 4 Stefan Dirsch 2004-01-03 03:34:01 UTC

Is there a patch available? Are you sure we use pam_krb5 with XDM? Is this 
some entry in /etc/pam.d/xdm?

Comment 5 Stefan Dirsch 2004-01-03 03:38:35 UTC

Maybe Thorsten and/or Werner can comment here as well?

Comment 6 Thorsten Kukuk 2004-01-06 21:09:21 UTC

There is nothing to comment: Check, if xdm checks the pam_setcred 
return value or not. If the pam_setcred return value is ignored, 
xdm is buggy. 
This has nothing to do with pam_krb5 and could be a problem with a  
lot of more PAM modules.

Comment 7 Thomas Biege 2004-01-06 21:19:15 UTC

Thorsten, that is right. It has nothing to do with the specific PAM module. 
But it is a exploitable example. 
 
Stefan, Mandrake released the advisory so they have the patch in their RPM 
package. Additionally Adrian made an equal update for KDM and may help you 
too.

Comment 8 Stefan Dirsch 2004-01-06 23:41:57 UTC

This is already fixed on SuSE because I took the XFree86 4.3.0 stable branch 
(with security fixes) instead of plain XFree86 4.3.0. This seems to be the 
patch (on success 1 is returned). 
 
[...] 
            return (0); 
        } 
 #endif   /* QNX4 doesn't support multi-groups, no initgroups() */ 
 #ifdef USE_PAM 
-       if (thepamh()) { 
-           if (pam_setcred(thepamh(), PAM_ESTABLISH_CRED) != PAM_SUCCESS) { 
-               LogError("pam_setcred for %\"s failed, errno=%d\n", 
-                        name, errno); 
+       if (pamh) { 
+           pam_error = pam_setcred (pamh, PAM_ESTABLISH_CRED); 
+           if (pam_error != PAM_SUCCESS) { 
+               LogError ("pam_setcred for \"%s\" failed: %s\n", 
+                        name, pam_strerror(pamh, pam_error)); 
                return(0); 
            } 
        } 
 #endif 
[...] 
 
# cvs log session.c 
[...] 
use pam_strerror() to print an error message after pam_setcred() fails, 
[...]

Comment 9 Stefan Dirsch 2004-01-06 23:48:44 UTC

Forget about my last comment. This looks more like some cleanup.

Comment 10 Stefan Dirsch 2004-01-06 23:52:43 UTC

Sorry, this is the correct one. This is the earlier fix also in the 4.3.0 
stable branch: 
 
@@ -604,7 +604,11 @@ 
 #endif   /* QNX4 doesn't support multi-groups, no initgroups() */ 
 #ifdef USE_PAM 
        if (thepamh()) { 
-           pam_setcred(thepamh(), PAM_ESTABLISH_CRED); 
+           if (pam_setcred(thepamh(), PAM_ESTABLISH_CRED) != PAM_SUCCESS) { 
+               LogError("pam_setcred for %\"s failed, errno=%d\n", 
+                        name, errno); 
+               return(0); 
+           } 
        } 
 #endif 
        if (setuid(verify->uid) < 0)

Comment 11 Thomas Biege 2004-01-07 16:30:45 UTC

Any SL version >= 8.0 that do not include this patch?

Comment 12 Stefan Dirsch 2004-01-07 16:59:35 UTC

Sorry, your patchinfo files were for 8.2/9.0 only. So this is a completely new 
question, correct?

Comment 13 Thomas Biege 2004-01-07 18:00:22 UTC

This was not my intention. Maybe the package name was another befoer 8.2?

Comment 14 Stefan Dirsch 2004-01-07 18:06:14 UTC

Yes. The package name was xf86 before.

Comment 15 Thomas Biege 2004-01-07 19:18:54 UTC

Created attachment 15587 [details]
patchinfo-box.xf86

Comment 16 Thomas Biege 2004-01-07 19:21:40 UTC

Created attachment 15588 [details]
patchinfo.xf86

Comment 17 Stefan Dirsch 2004-01-07 22:52:44 UTC

Ok. I would like to see the patch Adrian used for KDM. Adrian?

Comment 18 Adrian Schröter 2004-01-07 22:57:46 UTC

/work/SRC/old-versions/8.2/all/kdebase3/post-3.1.3-kdebase-kdm.patch 
 
but it covers more issues, the interessting part in this context is the last 
part.

Comment 19 Stefan Dirsch 2004-01-07 23:08:10 UTC

Thanks for the patch. The patch in Comment #10 looks ok for me then.

Comment 20 Stefan Dirsch 2004-01-07 23:26:04 UTC

Ouch. We need the patch for SuSE 8.2 and 9.0 as well. I just saw that the 
patch in the 4.3.0 stable branch was applied after I made a tarball of it 
for our products. :-(

Comment 21 Stefan Dirsch 2004-01-08 13:22:38 UTC

pam_setcred() isn't used yet in XFree86 of SuSE 7.2. Therefore we won't need a  
security update for SLES7-*. Only for SLES7-PPC as this is SuSE 7.3 based.

Comment 22 Stefan Dirsch 2004-01-08 17:14:16 UTC

fixed.

Comment 23 Thomas Biege 2004-01-08 17:43:04 UTC

<!-- SBZ_reopen -->Reopened by thomas@suse.de at Thu Jan  8 10:43:04 2004

Comment 24 Thomas Biege 2004-01-08 17:43:04 UTC

reopen, reassign for tracking

Comment 25 Thomas Biege 2004-01-27 22:10:16 UTC

packages approved

Comment 26 Thomas Biege 2009-10-13 19:43:34 UTC

CVE-2003-0690: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)