Linux pam_xauth could allow an attacker to gain privileges
|linux-pamxauth-gain-privileges (11254)||High Risk|
The Linux pam_xauth module could allow a local attacker to gain elevated privileges on the system, caused by an insecure default configuration. The pam_xauth module forwards MIT-Magic-Cookies to new X sessions and stores them in the a temporary .xauth file. A local attacker with limited system privileges could steal these cookies and gain root privileges on the system by forcing the root user to use "su" to login as the attacker, which would cause a temporary .xauth file to be created with the attacker's privileges.
For Red Hat Linux: Upgrade to the latest PAM package, as listed below. Refer to RHSA-2003:035-12 for more information. See References.
Red Hat Linux 7.1 for iSeries and pSeries: 0.75-46.7.1 or later
Red Hat Linux 7.2: 0.75-46.7.2 or later
Red Hat Linux 7.3: 0.75-46.7.3 or later
Red Hat Linux 8.0: 0.75-46.8.0 or later
For Mandrake Linux 8.1, 8.2, 9.0, and Multi Network Firewall 8.2, and Corporate Server 2.1:
Upgrade to the latest pam package (0.75-25.1mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2003:017-1:pam. See References.
For Conectiva Linux 8.0:
Upgrade to the latest pam package (0.75-5U80_1cl or later), as listed in Conectiva Linux Security Announcement CLA-2003:693. See References.
For Sun Linux 5.0:
Upgrade to the latest version of pam (0.75-46.7.2 or later), as listed in Sun Alert ID: 55760. See References.
As a workaround, follow the procedures listed in Sun Alert ID: 55760. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
- BugTraq Mailing List, 2002-12-14 4:48:28: BDT_AV200212140001: Insecure default: Using pam_xauth for su from sh-utils package.
- CIAC Information Bulletin N-045: Red Hat Updated PAM packages fix bug in pam_xauth Module.
- Conectiva Linux Security Announcement CLA-2003:693: pam. (From LinuxSecurity archive)
- Sun Alert ID: 55760: Sun Linux 5.0 Vulnerability in pam_xauth(8) Module May Allow Forwarding of Root Authorization to Unprivileged Users.
- BID-6753: PAM pam_xauth Module Unintended X Session Cookie Access Vulnerability
- CVE-2002-1160: The default configuration of the pam_xauth module forwards MIT-Magic-Cookies to new X sessions, which could allow local users to gain root privileges by stealing the cookies from a temporary .xauth file, which is created with the original user's credentials after root uses su.
- MDKSA-2003:017: Updated pam packages fix root authorization handling in pam_xauth module
- MDKSA-2003:017-1: Updated pam packages fix root authorization handling in pam_xauth module
- RHSA-2003-028: pam security update
- RHSA-2003-035: Updated PAM packages fix bug in pam_xauth module
- US-CERT VU#911505: pam_xauth may insecurely forward X MIT-Magic-Cookies to new sessions
- Conectiva Linux 8.0
- MandrakeSoft Mandrake Linux 8.1 IA64
- MandrakeSoft Mandrake Linux 8.1
- MandrakeSoft Mandrake Linux 8.2 PPC
- MandrakeSoft Mandrake Linux 8.2
- MandrakeSoft Mandrake Linux 9.0
- MandrakeSoft Mandrake Linux Corporate Server 2.1
- MandrakeSoft Mandrake Multi Network Firewall 8.2
- MandrakeSoft Mandrake Single Network Firewall 7.2
- RedHat Enterprise Linux 2.1 ES
- RedHat Enterprise Linux 2.1 WS
- RedHat Enterprise Linux 2.1 AS
- RedHat Linux 7
- RedHat Linux 7.1
- RedHat Linux 7.1 for iSeries
- RedHat Linux 7.1 for pSeries
- RedHat Linux 7.2
- RedHat Linux 7.3
- RedHat Linux 8.0
- RedHat Linux Advanced Workstation 2.1 Itanium
- Sun Linux 5.0
Feb 03, 2003
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this