In Apple OS X 10.10.4 and prior, the DYLD_PRINT_TO_FILE environment variable is used for redirecting logging data to a file instead of stderr. Due to a design error, this feature can be abused by a local attacker to write arbitrary files as root via restricted, SUID-root binaries.
Monthly Archives: July 2015
Qualys Security Advisory – userhelper / libuser
The libuser library implements a standardized interface for manipulating and administering user and group accounts, and is installed by default on Linux distributions derived from Red Hat’s codebase. During an internal code audit at Qualys, they discovered multiple libuser-related vulnerabilities that allow local users to perform denial-of-service and privilege-escalation attacks. As a proof of concept, they developed an unusual local root exploit against one of libuser’s applications. Both the advisory and exploit are included in this post.
Cyber Poltergeist Threat Discovered In Internet Of Stuff Hubs
Red Hat Security Advisory 2015-1488-01
Red Hat Security Advisory 2015-1488-01 – IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit.
Debian Security Advisory 3313-1
Debian Linux Security Advisory 3313-1 – Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation or denial of service.
Gentoo Linux Security Advisory 201507-22
Gentoo Linux Security Advisory 201507-22 – A heap-based buffer overflow in e2fsprogs could result in execution of arbitrary code. Versions less than 1.42.13 are affected.
Red Hat Security Advisory 2015-1482-01
Red Hat Security Advisory 2015-1482-01 – The libuser library implements a standardized interface for manipulating and administering user and group accounts. Sample applications that are modeled after applications from the shadow password suite are included in these packages. Two flaws were found in the way the libuser library handled the /etc/passwd file. A local attacker could use an application compiled against libuser to manipulate the /etc/passwd file, which could result in a denial of service or possibly allow the attacker to escalate their privileges to root.
Red Hat Security Advisory 2015-1483-01
Red Hat Security Advisory 2015-1483-01 – The libuser library implements a standardized interface for manipulating and administering user and group accounts. Sample applications that are modeled after applications from the shadow password suite are included in these packages. Two flaws were found in the way the libuser library handled the /etc/passwd file. A local attacker could use an application compiled against libuser to manipulate the /etc/passwd file, which could result in a denial of service or possibly allow the attacker to escalate their privileges to root.
Qualys Security Advisory – CVE-2015-3245 userhelper – CVE-2015-3246 libuser
Posted by Qualys Security Advisory on Jul 23
Hello, it is July 23, 2015, 17:00 UTC, the Coordinated Release Date for
CVE-2015-3245 and CVE-2015-3246. Please find our advisory below, and
our exploit attached.
Qualys Security Advisory
CVE-2015-3245 userhelper chfn() newline filtering
CVE-2015-3246 libuser passwd file handling
–[ Summary ]—————————————————————–
The libuser library implements a standardized interface for manipulating
and…
libuser vulnerabilities
Updated 2015-07-24 @ 12:33 UTC
It was discovered that the libuser library contains two vulnerabilities which, in combination, allow unprivileged local users to gain root privileges. libuser is a library that provides read and write access to files like /etc/passwd, which constitute the system user and group database. On Red Hat Enterprise Linux it is a central system component.
What is being disclosed today?
Qualys reported two vulnerabilities:
- CVE-2015-3245: The
userhelperprogram allows local users to add linefeeds in the middle of records to/etc/passwd, corrupting the file. - CVE-2015-3246:
libuseruses a non-standard way of updating/etc/passwdand related files. Its locking is incompatible with the rest of the system, and the files are rewritten in place, which means that the system may observe incorrect data.
It turns out that the CVE-2015-3246 vulnerability, by itself or in conjunction with CVE-2015-3245, can be exploited by an unprivileged local user to gain root privileges on an affected system. However, due to the way libuser works, only users who have accounts already listed in /etc/passwd can exploit this vulnerability, and the user needs to supply the account password as part of the attack. These requirements mean that exploitation by accounts listed only in LDAP (or some other NSS data source) or by system accounts without a valid password is not possible. Further analysis showed that the first vulnerability, CVE-2015-3245, is also due to a missing check in libuser. Qualys has disclosed full technical details in their security advisory posted to the oss-security mailing list.
Which system components are affected by these vulnerabilities?
libuser is a library, which means that in order to exploit it, a program which employs it must be used. Ideally, such a program has the following properties:
- It uses
libuser. - It is SUID-root.
- It allows putting almost arbitrary content into
/etc/passwd.
Without the third item, exploitation may still be possible, but it will be much more difficult. If the program is not SUID-root, a user will not have unlimited attempts to exploit the race condition. A survey of programs processing /etc/passwd and related files presents this picture:
passwdis SUID-root, but it uses PAM to change the password, which has custom code to modify/etc/passwdnot affected by the race condition. The account locking functionality inpasswddoes uselibuser, but it is restricted toroot.chshfromutil-linuxis SUID-root and useslibuserto change/etc/passwd(the latter depending on howutil-linuxwas compiled), but it has fairly strict filters controlling what users can put into these files.lpasswd,lchfn,lchshand related utilities fromlibuserare not SUID-root.userhelper(in theusermodepackage) andchfn(in the util-linux package) have all three qualifications:libuser-based, SUID-root, and lack of filters.
This is why userhelper and chfn are plausible targets for exploitation, and other programs such as passwd and chsh are not.
How can these vulnerabilities be addressed?
System administrators can apply updates from your operating system vendor. Details of affected Red Hat products and security advisories are available on the knowledge base article on the Red Hat Customer Portal. This security update will change libuser to apply additional checks to the values written to the user and group files (so that injecting newlines is no longer possible), and replaces the locking and file update code to follow the same procedures as the rest of the system. The first change is sufficient to prevent newline injection with userhelper as well, which means that only libuser needs to be updated. If software updates are not available or cannot be applied, it is possible to block access to the vulnerable functionality with a PAM configuration change. System administrators can edit the files /etc/pam.d/chfn and /etc/pam.d/chsh and block access to non-root users by using pam_warn (for logging) and pam_deny:
#%PAM-1.0 auth sufficient pam_rootok.so auth required pam_warn.so auth required pam_deny.so auth include system-auth account include system-auth password include system-auth session include system-auth
This will prevent users from changing their login shells and their GECOS field. userhelper identifies itself to PAM as “chfn”, which means this change is effective for this program as well.
Acknowledgements
Red Hat would like to thank Qualys for reporting these vulnerabilities.
Update (2015-07-24): Clarified that chfn is affected as well and linked to Qualys security advisory.
Product
Red Hat Enterprise Linux