-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		 NetBSD Security Advisory 2011-008
		 =================================

Topic:		OpenPAM privilege escalation


Version:	NetBSD-current:		affected prior to 20111109
		NetBSD 5.1:		affected prior to 20111119
		NetBSD 5.0:		affected prior to 20111119
		NetBSD 4.0.*:		affected prior to 20111119
		NetBSD 4.0:		affected prior to 20111119
		pkgsrc:			security/openpam package prior to
					20111213


Severity:	Privilege escalation


Fixed:		NetBSD-current:		Nov 9th, 2011
		NetBSD-5-1 branch:	Nov 19th, 2011
		NetBSD-5-0 branch:	Nov 19th, 2011
		NetBSD-5 branch:	Nov 19th, 2011
		NetBSD-4-0 branch:	Nov 19th, 2011
		NetBSD-4 branch:	Nov 19th, 2011
		pkgsrc security/openpam: openpam-20071221nb1

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

The pam_start() function of OpenPAM doesn't check the "service"
argument. With a relative path it can be tricked into reading
a config file from an arbitrary location.
NetBSD base utilities pass fixed constant strings. 3rd party
programs which run with elevated privileges and allow user chosen
strings open an attack vector.

This vulnerability has been assigned CVE-2011-4122.


Technical Details
=================

Known 3rd party programs which allow user chosen PAM service names are:
 - "kcheckpass" from KDE3/4 (installed as SUID per default)
 - The "pam_auth" helper of "squid" (not SUID per default, but might
   be by administrator's choice)
 - "saslauthd" from cyrus-sasl, if built with PAM support, is
   suspected to accept a PAM service name through its communication
   socket (not verified in detail; pkgsrc/security/cyrus-saslauthd
   does not support PAM)

Also see the initial post about the problem:
http://c-skills.blogspot.com/2011/11/openpam-trickery.html
An exploit which uses KDE's "kcheckpass" is here:
http://stealth.openwall.net/xSports/pamslam


Solutions and Workarounds
=========================

Workaround: Install a version of the 3rd party software with a fix for
the issue. Fixed versions in pkgsrc are:

kdebase-3.5.10nb16
kdebase-workspace4-4.5.5nb4
squid-2.7.9nb2
squid-3.1.16nb1

See the pkg-vulnerabilities file for more details.

Fix: Update NetBSD's libpam to one of the versions listed above.

* NetBSD-current:

	The following directories need to be updated from the netbsd
	CVS tree:
		dist/openpam/lib

	To update from CVS, re-build, and re-install libpam:

		# cd src
		# cvs update -d -P dist/openpam/lib
		# cd lib/libpam/modules/pam_deny
		# make USETOOLS=no cleandir libpam_deny.a
		# cd ../pam_echo
		# make USETOOLS=no cleandir libpam_echo.a
		# cd ../pam_exec
		# make USETOOLS=no cleandir libpam_exec.a
		# cd ../pam_ftpusers
		# make USETOOLS=no cleandir libpam_ftpusers.a
		# cd ../pam_group
		# make USETOOLS=no cleandir libpam_group.a
		# cd ../pam_guest
		# make USETOOLS=no cleandir libpam_guest.a
		# cd ../pam_lastlog
		# make USETOOLS=no cleandir libpam_lastlog.a
		# cd ../pam_login_access
		# make USETOOLS=no cleandir libpam_login_access.a
		# cd ../pam_nologin
		# make USETOOLS=no cleandir libpam_nologin.a
		# cd ../pam_permit
		# make USETOOLS=no cleandir libpam_permit.a
		# cd ../pam_radius
		# make USETOOLS=no cleandir libpam_radius.a
		# cd ../pam_rhosts
		# make USETOOLS=no cleandir libpam_rhosts.a
		# cd ../pam_rootok
		# make USETOOLS=no cleandir libpam_rootok.a
		# cd ../pam_securetty
		# make USETOOLS=no cleandir libpam_securetty.a
		# cd ../pam_self
		# make USETOOLS=no cleandir libpam_self.a
		# cd ../pam_unix
		# make USETOOLS=no cleandir libpam_unix.a
		# cd ../pam_afslog
		# make USETOOLS=no cleandir libpam_afslog.a
		# cd ../pam_krb5
		# make USETOOLS=no cleandir libpam_krb5.a
		# cd ../pam_ksu
		# make USETOOLS=no cleandir libpam_ksu.a
		# cd ../pam_skey
		# make USETOOLS=no cleandir libpam_skey.a
		# cd ../pam_ssh
		# make USETOOLS=no cleandir libpam_ssh.a
		# cd ../../libpam
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* NetBSD release versions (4.*, 5.*):

	The following directories need to be updated from the
	netbsd-4, netbsd-4-0, netbsd-5, netbsd-5-0 or
	netbsd-5-1 CVS branch:
		dist/openpam/lib

	To update from CVS, re-build, and re-install libpam:

		# cd src
		# cvs update -d -P -r <branch_name> dist/openpam/lib
		# cd lib/libpam/modules/pam_deny
		# make USETOOLS=no cleandir libpam_deny.a
		# cd ../pam_echo
		# make USETOOLS=no cleandir libpam_echo.a
		# cd ../pam_exec
		# make USETOOLS=no cleandir libpam_exec.a
		# cd ../pam_ftpusers
		# make USETOOLS=no cleandir libpam_ftpusers.a
		# cd ../pam_group
		# make USETOOLS=no cleandir libpam_group.a
		# cd ../pam_guest
		# make USETOOLS=no cleandir libpam_guest.a
		# cd ../pam_lastlog
		# make USETOOLS=no cleandir libpam_lastlog.a
		# cd ../pam_login_access
		# make USETOOLS=no cleandir libpam_login_access.a
		# cd ../pam_nologin
		# make USETOOLS=no cleandir libpam_nologin.a
		# cd ../pam_permit
		# make USETOOLS=no cleandir libpam_permit.a
		# cd ../pam_radius
		# make USETOOLS=no cleandir libpam_radius.a
		# cd ../pam_rhosts
		# make USETOOLS=no cleandir libpam_rhosts.a
		# cd ../pam_rootok
		# make USETOOLS=no cleandir libpam_rootok.a
		# cd ../pam_securetty
		# make USETOOLS=no cleandir libpam_securetty.a
		# cd ../pam_self
		# make USETOOLS=no cleandir libpam_self.a
		# cd ../pam_unix
		# make USETOOLS=no cleandir libpam_unix.a
		# cd ../pam_afslog
		# make USETOOLS=no cleandir libpam_afslog.a
		# cd ../pam_krb5
		# make USETOOLS=no cleandir libpam_krb5.a
		# cd ../pam_ksu
		# make USETOOLS=no cleandir libpam_ksu.a
		# cd ../pam_skey
		# make USETOOLS=no cleandir libpam_skey.a
		# cd ../pam_ssh
		# make USETOOLS=no cleandir libpam_ssh.a
		# cd ../../libpam
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


Thanks To
=========

Thanks to "Icke" for reporting the issue.


Revision History
================

	2011-12-15	Initial release
	2011-12-19	Updated build instructions and
			clarifications


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2011-008.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .

Copyright 2011, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2011-008.txt,v 1.2 2011/12/18 23:26:46 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (NetBSD)

iQIcBAEBAgAGBQJO7nbDAAoJEAZJc6xMSnBuO4sP/25B9q0R0vkftIZoLzV/cHMI
LM6m9orSZ2yQHAGli8LpiuX6rI8gyOu0cuFKiUVNb1gX9kPesyyJjvPPaAZ+p+G/
4R9bZccl2hJuyyg/Sa38zApgb5Hn+16mySWOtM8kX4NNDC0d0V70HxmjKKLO7m9N
XEUP+2SX2N4XpO3wA6yzjfIy+Np3hwvEGM/LI5KEz29NrdsPHiOEiS5OPEPCmQu2
b9QToENap4xXcX4FU5Z5kKmt3G+ZZgj97+Bkq6GO4mPLTKiWjw69ThDMfVaHml15
FXsvuyYBmIQoCcLEaME6AZcwcbbfJ1FJX08tsm0pOX/qg3dTDUC2hEmHAKNiU7Sl
61MiYHKbC0dfkWJxbtpoM+Dq9QCjqprdblXtst4sP9VboZioXw3BbiLUCZ2JMhyt
pevBO1cVCjJFyicTYDkhfOufTjt9as++jbj8Qi6l+556XUA0HmSMPLDUXYw4YDfc
echwpDEvp2VtnmMlxsDyxLq7Y4VDYRdIu5cOQllbs2ZkgjxW7cE0W9vxtT2jY/uY
nVqA9t6GoSezndSldLuQm5SkPThfFuYp1RpDeLXcEG9wnk+PXiKUgKtWRuId8yJY
v5ODco5Ym3g3Nn1jFX9zrNfxafyDPz2TX+Uh9/djzZZGibAzusAfN18MM/Ar03eQ
ovw682nR0YvL/cpzR7y6
=kcvR
-----END PGP SIGNATURE-----