lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20040111013838.F22809@dekadens.coredump.cx>
From: lcamtuf at ghettot.org (Michal Zalewski)
Subject: Fedora/RedHat ConsoleHelper Privileged Access
 Preserved

On Sat, 10 Jan 2004, Jonathan A. Zdziarski wrote:

> I noticed running Gnome 2.4 on Fedora that privileged access acquired
> via the console helper (and pam) is preserved after the user logs out
> and back in, for at least an adequate amount of time to log back in and
> retain root privileges.

This problem is inherent to the design of sudo-type credentials caching in
Red Hat's pam_timestamp_check. The observation you've made is not new,
IIRC, and there is some disagreement as to whether this should work this
way - personally, I would say it is a quite pointless and potentially
dangerous feature, but folks at Red Hat probably disagree.

The design is also flawed in many other ways, making it possible to
bypass tty name check (rendering part of the ticketing solution
ineffective and misleading), and providing a method to escalate trivial
file creation races into instant root exploits:

  http://cert.uni-stuttgart.de/archive/bugtraq/2003/07/msg00014.html

This was largely ignored by the maintainers, as far as I can tell.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2004-01-11 01:38 --

   http://lcamtuf.coredump.cx/photo/current/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ