On Mon, May 08, 2000 at 03:28:23PM +0700, Umum Wijoyo wrote:
> Hello again...
>
> I've noticed that Debian frozen/potato has already used the PAM security
> scheme...
it uses PAM as its authentication system, all the main authenticating
utilities, /bin/login /bin/su et al use PAM to authenticate the user.
> I also heard somewhere that PAM has a security hole? Using a so-called
> slam.sh script, some Red Hat distros have become vulnerable...
> Is this also a problem with the Debian distro?
> Should I, or should I not remove PAM?
you cannot remove pam, not without breaking/removing /bin/login
/bin/su and everything else ;-) not what you want.
as to the security bug it was not in pam itself but rather in one
specific modules, pam_console, the bug was really in a suid binary
that is a helper for pam_console, here it the basic details:
/usr/bin/consolehelper is a suid program, it accepts the argument of a
path to another utility say /bin/shutdown. I don't remember the exact
details of how it does its checks, but what you could do was this:
compile a pam `module' with the following source:
[...]
system("/bin/sh");
then create a pam configuration file in /tmp calling that fake
module. you then ran /usr/bin/consolehelper ../../../../../../../pamslam.conf
it would read the fake config file in /tmp and load the fake pam
module we created, executing /bin/sh -- as root -- blamo r00t shell!
console-helper allows the admin to define arbitary binaries that can
be run as root based on custom authentication conf files in /etc/pam.d
the problem is these config files are specified as an argument to the
suid /usr/bin/consolehelper and it allowed you to specify bogus things
like ../../../../../../etc/pam.d/r00tshell. AFAIK there is no other
standard program that allows this kind of manipulation. (/bin/login
and /bin/su hard code there pam service name so you cannot ask it to
`be something else')
now the good news: Debian does not use nor include this evil module
in potato ;-) we are NOT vulnerable to that bug as we don't even have
the rootsh^H^H^H^H^H^Hconsolehelper
> (Some security scheme... if it only turns out that it itself is a weak
> spot)
that can happen, but in this case `pam' is not a monolithic system,
its merely a set of modules and libraries, you can write creative
programs that use pam in creative ways but if you get too creative
like pam_console you get problems. things like /bin/login and /bin/su
use pam in much more sane ways then console-helper does.
[note: i am not certain this is the vulnerablity you are referring to
as your were not very specific, but the console-helper exploit was
called `pamslam']
> Thanks!
>
> Urip Hudiono
> ------------------
> Bandung, Indonesia
>
> PS: Thanks for all ur suggestions on my previous questions. Will try them
> out!
>
>
> --
> Unsubscribe? mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null
>
--
Ethan Benson
http://www.alaska.net/~erbenson/
Attachment:
pgpbX_aBO69UQ.pgp
Description: PGP signature