A local privilege escalation vulnerability has been discovered in the PAM MOTD module and according to reports it is trivial to exploit. An update to the libpam-modules package has been released and admins are advised to upgrade immediately.
The PAM MOTD modules allows displaying arbitrary message of the day (MOTD) to users after a successful login. By default the file /etc/motd is used and is restricted to 64 KB, but a different one can be specified via the motd=/path/filename parameter.
Apparently the problem stems from unusual high access rights for the motd.legal-notice file dropped by pam_motd inside each user's local cache directory. “display_legal() can be tricked to follow a ~/.cache symlink and chown the target of the link to the unprivileged user. Trivial exploitation,” a security researcher named Jon Oberheide,
explains.
The security flaw poses a more serious risk for multi-user servers and while local privilege escalation flaws are not particularly highly severe, they can be exploited in conjunction with other vulnerabilities to compromise a system. For example an attacker can use an exploit to gain a local limited shell remotely and then they can leverage this bug to get root access.
Exploitation of this PAM MOTD module vulnerability results in the user gaining read and access rights to /etc/shadow, the file used to store user passwords in on Linux systems. The passwords are stored in encrypted form in this file, but they can be easily cracked depending on the hashing algorithm used. For this reason, by default only the superuser (root) has access to this file.
In order to address this vulnerability, identified as CVE-2010-0832 in the Common Vulnerabilities and Exposures database, Ubuntu
has released updates to the libpam-modules package. Users of Ubuntu 9.10 are advised to upgrade to libpam-modules 1.1.0-2ubuntu1.1, while 10.04 LTS users can update libpam-modules 1.1.1-2ubuntu5. Denis Excoffier is credited with the discovery of the bug.
You can follow the editor on Twitter @lconstantin
Find us on Google+
No user comments yet.
Be the first to express your opinion!
