48788 – (CVE-2003-0690) VUL-0: CVE-2003-0690: XDM: root access in conjunction with kerberos

Bug 48788 (CVE-2003-0690) - VUL-0: CVE-2003-0690: XDM: root access in conjunction with kerberos

Summary: VUL-0: CVE-2003-0690: XDM: root access in conjunction with kerberos

Status:	RESOLVED FIXED

Alias:	CVE-2003-0690

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	All Linux

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Thomas Biege
QA Contact:	E-mail List

URL:
Whiteboard:	CVE-2003-0690: CVSS v2 Base Score: 10...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2004-01-02 18:26 UTC by Thomas Biege
Modified:	2021-09-29 14:55 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
patchinfo (423 bytes, text/plain) 2004-01-02 20:49 UTC, Thomas Biege	Details
patchinfo for the box products (565 bytes, text/plain) 2004-01-02 20:51 UTC, Thomas Biege	Details
patchinfo-box.xf86 (551 bytes, text/plain) 2004-01-07 19:18 UTC, Thomas Biege	Details
patchinfo.xf86 (522 bytes, text/plain) 2004-01-07 19:21 UTC, Thomas Biege	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Biege 2004-01-02 18:26:16 UTC

Hi, 
this bug was fixed in KDM but it seems to affect XDM too. 
 
 
--- 
Von: 	Mandrake Linux Security Team <security@linux-mandrake.com> 
An: 	bugtraq@securityfocus.com 
Betreff: 	MDKSA-2003:118 - Updated XFree86 packages fix xdm 
vulnerability 
Datum: 	19 Dec 2003 12:35:56 -0000	 
-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
 
 _______________________________________________________________________ 
 
                Mandrake Linux Security Update Advisory 
 _______________________________________________________________________ 
 
 Package name:           XFree86 
 Advisory ID:            MDKSA-2003:118 
 Date:                   December 19th, 2003 
 
 Affected versions:      9.0, 9.1, 9.2, Corporate Server 2.1 
 ______________________________________________________________________ 
 
 Problem Description: 
 
 A vulnerability was discovered in the XDM display manager that ships 
 with XFree86.  XDM does not check for successful completion of the 
 pam_setcred() call and in the case of error conditions in the 
 installed PAM modules, XDM may grant local root access to any user 
 with valid login credentials.  It has been reported that a certain 
 configuration of the MIT pam_krb5 module can result in a failing 
 pam_setcred() call which leaves the session alive and would provide 
 root access to any regular user.  It is also possible that this 
 vulnerability can likewise be exploited with other PAM modules in a 
 similar manner. 
  
 A backported patch from XFree86 4.3 that corrects this vulnerability 
 has been applied to these updated packages. 
 _______________________________________________________________________ 
 
 References: 
 
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0690 
[...] 
---

Comment 1 Thomas Biege 2004-01-02 18:26:16 UTC

<!-- SBZ_reproduce  -->
-

Comment 2 Thomas Biege 2004-01-02 20:49:32 UTC

Created attachment 15566 [details]
patchinfo

Comment 3 Thomas Biege 2004-01-02 20:51:21 UTC

Created attachment 15567 [details]
patchinfo for the box products

Comment 4 Stefan Dirsch 2004-01-03 03:34:01 UTC

Is there a patch available? Are you sure we use pam_krb5 with XDM? Is this 
some entry in /etc/pam.d/xdm?

Comment 5 Stefan Dirsch 2004-01-03 03:38:35 UTC

Maybe Thorsten and/or Werner can comment here as well?

Comment 6 Thorsten Kukuk 2004-01-06 21:09:21 UTC

There is nothing to comment: Check, if xdm checks the pam_setcred 
return value or not. If the pam_setcred return value is ignored, 
xdm is buggy. 
This has nothing to do with pam_krb5 and could be a problem with a  
lot of more PAM modules.

Comment 7 Thomas Biege 2004-01-06 21:19:15 UTC

Thorsten, that is right. It has nothing to do with the specific PAM module. 
But it is a exploitable example. 
 
Stefan, Mandrake released the advisory so they have the patch in their RPM 
package. Additionally Adrian made an equal update for KDM and may help you 
too.

Comment 8 Stefan Dirsch 2004-01-06 23:41:57 UTC

This is already fixed on SuSE because I took the XFree86 4.3.0 stable branch 
(with security fixes) instead of plain XFree86 4.3.0. This seems to be the 
patch (on success 1 is returned). 
 
[...] 
            return (0); 
        } 
 #endif   /* QNX4 doesn't support multi-groups, no initgroups() */ 
 #ifdef USE_PAM 
-       if (thepamh()) { 
-           if (pam_setcred(thepamh(), PAM_ESTABLISH_CRED) != PAM_SUCCESS) { 
-               LogError("pam_setcred for %\"s failed, errno=%d\n", 
-                        name, errno); 
+       if (pamh) { 
+           pam_error = pam_setcred (pamh, PAM_ESTABLISH_CRED); 
+           if (pam_error != PAM_SUCCESS) { 
+               LogError ("pam_setcred for \"%s\" failed: %s\n", 
+                        name, pam_strerror(pamh, pam_error)); 
                return(0); 
            } 
        } 
 #endif 
[...] 
 
# cvs log session.c 
[...] 
use pam_strerror() to print an error message after pam_setcred() fails, 
[...]

Comment 9 Stefan Dirsch 2004-01-06 23:48:44 UTC

Forget about my last comment. This looks more like some cleanup.

Comment 10 Stefan Dirsch 2004-01-06 23:52:43 UTC

Sorry, this is the correct one. This is the earlier fix also in the 4.3.0 
stable branch: 
 
@@ -604,7 +604,11 @@ 
 #endif   /* QNX4 doesn't support multi-groups, no initgroups() */ 
 #ifdef USE_PAM 
        if (thepamh()) { 
-           pam_setcred(thepamh(), PAM_ESTABLISH_CRED); 
+           if (pam_setcred(thepamh(), PAM_ESTABLISH_CRED) != PAM_SUCCESS) { 
+               LogError("pam_setcred for %\"s failed, errno=%d\n", 
+                        name, errno); 
+               return(0); 
+           } 
        } 
 #endif 
        if (setuid(verify->uid) < 0)

Comment 11 Thomas Biege 2004-01-07 16:30:45 UTC

Any SL version >= 8.0 that do not include this patch?

Comment 12 Stefan Dirsch 2004-01-07 16:59:35 UTC

Sorry, your patchinfo files were for 8.2/9.0 only. So this is a completely new 
question, correct?

Comment 13 Thomas Biege 2004-01-07 18:00:22 UTC

This was not my intention. Maybe the package name was another befoer 8.2?

Comment 14 Stefan Dirsch 2004-01-07 18:06:14 UTC

Yes. The package name was xf86 before.

Comment 15 Thomas Biege 2004-01-07 19:18:54 UTC

Created attachment 15587 [details]
patchinfo-box.xf86

Comment 16 Thomas Biege 2004-01-07 19:21:40 UTC

Created attachment 15588 [details]
patchinfo.xf86

Comment 17 Stefan Dirsch 2004-01-07 22:52:44 UTC

Ok. I would like to see the patch Adrian used for KDM. Adrian?

Comment 18 Adrian Schröter 2004-01-07 22:57:46 UTC

/work/SRC/old-versions/8.2/all/kdebase3/post-3.1.3-kdebase-kdm.patch 
 
but it covers more issues, the interessting part in this context is the last 
part.

Comment 19 Stefan Dirsch 2004-01-07 23:08:10 UTC

Thanks for the patch. The patch in Comment #10 looks ok for me then.

Comment 20 Stefan Dirsch 2004-01-07 23:26:04 UTC

Ouch. We need the patch for SuSE 8.2 and 9.0 as well. I just saw that the 
patch in the 4.3.0 stable branch was applied after I made a tarball of it 
for our products. :-(

Comment 21 Stefan Dirsch 2004-01-08 13:22:38 UTC

pam_setcred() isn't used yet in XFree86 of SuSE 7.2. Therefore we won't need a  
security update for SLES7-*. Only for SLES7-PPC as this is SuSE 7.3 based.

Comment 22 Stefan Dirsch 2004-01-08 17:14:16 UTC

fixed.

Comment 23 Thomas Biege 2004-01-08 17:43:04 UTC

<!-- SBZ_reopen -->Reopened by thomas@suse.de at Thu Jan  8 10:43:04 2004

Comment 24 Thomas Biege 2004-01-08 17:43:04 UTC

reopen, reassign for tracking

Comment 25 Thomas Biege 2004-01-27 22:10:16 UTC

packages approved

Comment 26 Thomas Biege 2009-10-13 19:43:34 UTC

CVE-2003-0690: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)