Date: 21 January 2002
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2002.041 -- FreeBSD-SA-02:07.k5su
Kerberos 5 su command uses getlogin for authorization
21 January 2002
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: k5su (Kerberos 5 su command)
Vendor: FreeBSD
Operating System: FreeBSD 4.4-RELEASE
FreeBSD 4.4-STABLE prior to 2002-01-15
Ports collection prior to 2002-10-31
Impact: Root Compromise
Access Required: Remote
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-02:07 Security Advisory
FreeBSD, Inc.
Topic: Kerberos 5 su command uses getlogin for authorization
Category: krb5, ports
Module: crypto/heimdal/appl/su, heimdal
Announced: 2002-01-18
Credits: Aaron <lumpy@musicvision.com>
Affects: FreeBSD 4.4-RELEASE
FreeBSD 4.4-STABLE prior to the correction date
Ports collection prior to the correction date
Corrected: 2002-01-15 21:52:48 UTC (RELENG_4)
2002-01-17 15:45:05 UTC (RELENG_4_4)
2002-10-31 19:58:05 UTC (heimdal port)
FreeBSD only: NO
I. Background
The getlogin and setlogin system calls are used to manage the user
name associated with a login session.
k5su is a Kerberos 5-enabled su program. Like su, it allows
authorized users to `switch user' in order to obtain additional
privileges.
II. Problem Description
The setlogin system call, the use of which is restricted to the
superuser, is used to associate a user name with a login session. The
getlogin system call is used to retrieve that user name. The setlogin
system call is typically used by applications such as login and sshd.
The k5su command included with FreeBSD, versions prior to 4.5-RELEASE,
and the su command included in the heimdal port, versions prior to
heimdal-0.4e_2, use the getlogin system call in order to determine
whether the currently logged-in user is `root'. In some
circumstances, it is possible for a non-privileged process to have
`root' as the login name returned by getlogin.
The `k5su' command may be installed as part of FreeBSD when Kerberos 5
support is requested, or it may be installed from the FreeBSD Ports
Collection (ports/security/heimdal), in which case it is installed
simply as `su'.
The Heimdal port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains over 6000 third-party applications in a ready-to-install
format. The ports collection shipped with FreeBSD 4.4 contains this
problem since it was discovered after the release.
FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.
III. Impact
In some circumstances, process that have been started by root but have
given up superuser privileges may be able to invoke `k5su' to regain
superuser privileges.
IV. Workaround
Commands to be executed as root are signified by lines starting with
the `#' character.
[Kerberos 5 in the base system]
Remove the set-user-ID bit from the `k5su' executable by running the
following command as root:
# chmod u-s /usr/bin/k5su
[Heimdal port]
Remove the set-user-ID bit from the `su' executable by running the
following command as root:
# chmod u-s /usr/local/bin/su
V. Solution
[Kerberos 5 in the base system]
NOTE: If the file /usr/bin/k5su does not exist on your system,
Kerberos 5 is not installed and you do not need to take any action.
Do one of the following:
1) Upgrade your system to 4.4-STABLE or the RELENG_4_4 security
branch, dated after the respective correction dates.
2) To patch your present system:
The following patch has been verified to apply to FreeBSD 4.4-RELEASE
and 4.4-STABLE dated prior to the correction date. It may or may not
apply to older, unsupported versions of FreeBSD.
Download the patch and the detached PGP signature from the following
locations, and verify the signature using your PGP utility.
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-02:07/k5su.patch
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-02:07/k5su.patch.asc
Execute the following commands as root:
# cd /usr/src
# patch < /path/to/k5su.patch
# cd /usr/src/kerberos5/lib
# env MAKE_KERBEROS5=yes make depend
# env MAKE_KERBEROS5=yes make all install
# cd /usr/src/kerberos5/usr.bin/k5su
# env MAKE_KERBEROS5=yes make depend
# env MAKE_KERBEROS5=yes make all install
[Heimdal port]
Do one of the following:
1) Upgrade your entire ports collection and rebuild the port.
2) Deinstall the old package and install a new package dated after the
correction date, obtained from the following directories:
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/heimdal-0.4e_2.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/heimdal-0.4e_2.tgz
[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.
3) Download a new port skeleton for the heimdal port from:
http://www.freebsd.org/ports/
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in the FreeBSD ports collection.
[Kerberos 5 in the base system]
Path Revision
Branch
- - -------------------------------------------------------------------------
src/crypto/heimdal/appl/su/su.c
HEAD 1.1.1.4
RELENG_4 1.1.1.1.2.2
RELENG_4_4 1.1.1.1.2.1.4.1
RELENG_4_3 1.1.1.1.2.1.2.1
- - -------------------------------------------------------------------------
[Heimdal port]
Path Revision
- - -------------------------------------------------------------------------
ports/security/heimdal/Makefile 1.46
ports/security/heimdal/patch-appl::su::su.c 1.1
- - -------------------------------------------------------------------------
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBPEgo31UuHi5z0oilAQGegQP/U3IsWQ75B/VqWU7/V5i4O9yDfQBzj/jZ
iZXXvzMQVHZmgMnBo015UCZGqKci4fXw4+TY1YNcqdLln43hJg3TizJuhLFUOwge
e8JN52w9gMknKDmpTTJAsW94FwOy/YwTn36Xlxzd4juiRlLm4F0Jmz37gCnfG7vB
WSvAJjOX77I=
=+CLY
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPEwwrCh9+71yA2DNAQFUGwP/TGyFv0b8QMltbjazULCYUuCba6SKq7Ay
+CD6NGcy6yky3HkukqDRokTiZFrGCml/WEf+ooBjpj9l9NzcDjul41Pbs6V8MHwR
OUpoITSY8lb/7DUtCROL3VtVIFJDAMJmcclsAGMgKdrq8pGtZu1JE7TAgcDI8JGv
Ru7CZn9ugng=
=ssHs
-----END PGP SIGNATURE-----
|