It looks like a user could reset an environment variable, resulting in convincing the PAM module ( running as root ) to write a file somewhere the user should not be able to write. I assume since this could allow root access, it can overwrite something that can be executed as root by another process.
Actually, from the looks of the tweet linked above, it seems to allow a user to chown an arbitrary system file so that it is owned by him, in that case the shadow file. Having access to the shadow file would allow the user to trivially reset the password for every account on the machine, including root. With that access, a user could then do just about anything to the box, and then reset the password/shadow file back to its old value/permissions so that sysadmins would be none the wiser.
Thank you for posting this... I often ignore doing updates because they're just not as interesting as other things I'm doing. This kicked my butt into gear to install the updates.
This is important if you're running a website too - this exploit can be used to take over the machine if the hacker finds a way to execute code as the website (i.e. once they used a different exploit to break in, they would be able to escalate from www-data user to root).
I can't seem to replicate on a Debian unstable box, where pam hasn't been updated since April [0], but I don't have an Ubuntu box handy to verify that I'm properly trying to exploit it.
PAM lets you among other things, define new methods of authenticating the user - for example, if I wanted to make my computer log me on whenever it saw my Bluetooth phone in range, I'd write a PAM module
