

PAM Vulnerability in Ubuntu allowing root access - Kototama
https://lists.ubuntu.com/archives/ubuntu-security-announce/2010-July/001117.html

======
openfly
It looks like a user could reset an environment variable, resulting in
convincing the PAM module ( running as root ) to write a file somewhere the
user should not be able to write. I assume since this could allow root access,
it can overwrite something that can be executed as root by another process.

~~~
nuclear_eclipse
Actually, from the looks of the tweet linked above, it seems to allow a user
to chown an arbitrary system file so that it is owned by him, in that case the
shadow file. Having access to the shadow file would allow the user to
trivially reset the password for every account on the machine, including root.
With that access, a user could then do just about anything to the box, and
then reset the password/shadow file back to its old value/permissions so that
sysadmins would be none the wiser.

~~~
openfly
Neat. Similar idea but definitely different.

------
rufugee
Anyone care to describe _how_ this can be used to gain root? I'm running
Lucid...it'd be interesting to try the hack on myself before updating...

~~~
Kototama
Just one tweet will do it ;-)

<https://twitter.com/jonoberheide/status/18009527979>

~~~
qjz
Works for me on Mint (a Ubuntu derivative). I'm glad I use Slackware on my
production machines (no PAM).

------
barnaby
Thank you for posting this... I often ignore doing updates because they're
just not as interesting as other things I'm doing. This kicked my butt into
gear to install the updates.

~~~
xpaulbettsx
This is important if you're running a website too - this exploit can be used
to take over the machine if the hacker finds a way to execute code as the
website (i.e. once they used a different exploit to break in, they would be
able to escalate from www-data user to root).

------
poundy
I am on Ubuntu 10.04, what do I need to do besides updates and "proper" use to
remain safe? I don't have an antivirus or anything of that sort!

~~~
nuclear_eclipse
Assuming you're still using the default package mirrors, updating is
sufficient.

------
zokier
Is this bug restricted to ubuntu or does it affect debian/rhel etc?

~~~
callahad
I can't seem to replicate on a Debian unstable box, where pam hasn't been
updated since April [0], but I don't have an Ubuntu box handy to verify that
I'm properly trying to exploit it.

[0]: <http://packages.qa.debian.org/p/pam.html>

~~~
joeyh
The security hole was introduced by a Ubuntu-specfic patch to pam. The
pam_motd-legal-notice patch was added in July 2009 due to
<https://bugs.launchpad.net/ubuntu/+source/pam/+bug/399071>

------
billybob
Dumb question - what's PAM? To me that means "phone as modem"...

~~~
callahad
Pluggable Authentication Modules. It's an auth framework used by many Linux
distributions.

See:
[http://en.wikipedia.org/wiki/Pluggable_Authentication_Module...](http://en.wikipedia.org/wiki/Pluggable_Authentication_Modules)
and <http://en.wikipedia.org/wiki/Linux_PAM>

------
afhof
It didn't work on 9.04, which I guess is good.

