ID CVE-2009-0360
Summary Russ Allbery pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly initialize the Kerberos libraries for setuid use, which allows local users to gain privileges by pointing an environment variable to a modified Kerberos configuration file, and then launching a PAM-based setuid application.
References
Vulnerable Configurations
  • cpe:2.3:a:eyrie:pam-krb5:2.0
    cpe:2.3:a:eyrie:pam-krb5:2.0
  • cpe:2.3:a:eyrie:pam-krb5:2.1
    cpe:2.3:a:eyrie:pam-krb5:2.1
  • cpe:2.3:a:eyrie:pam-krb5:2.2
    cpe:2.3:a:eyrie:pam-krb5:2.2
  • cpe:2.3:a:eyrie:pam-krb5:2.3
    cpe:2.3:a:eyrie:pam-krb5:2.3
  • cpe:2.3:a:eyrie:pam-krb5:2.4
    cpe:2.3:a:eyrie:pam-krb5:2.4
  • cpe:2.3:a:eyrie:pam-krb5:2.5
    cpe:2.3:a:eyrie:pam-krb5:2.5
  • cpe:2.3:a:eyrie:pam-krb5:2.6
    cpe:2.3:a:eyrie:pam-krb5:2.6
  • cpe:2.3:a:eyrie:pam-krb5:3.0
    cpe:2.3:a:eyrie:pam-krb5:3.0
  • cpe:2.3:a:eyrie:pam-krb5:3.1
    cpe:2.3:a:eyrie:pam-krb5:3.1
  • cpe:2.3:a:eyrie:pam-krb5:3.2
    cpe:2.3:a:eyrie:pam-krb5:3.2
  • cpe:2.3:a:eyrie:pam-krb5:3.3
    cpe:2.3:a:eyrie:pam-krb5:3.3
  • cpe:2.3:a:eyrie:pam-krb5:3.4
    cpe:2.3:a:eyrie:pam-krb5:3.4
  • cpe:2.3:a:eyrie:pam-krb5:3.5
    cpe:2.3:a:eyrie:pam-krb5:3.5
  • cpe:2.3:a:eyrie:pam-krb5:3.6
    cpe:2.3:a:eyrie:pam-krb5:3.6
  • cpe:2.3:a:eyrie:pam-krb5:3.7
    cpe:2.3:a:eyrie:pam-krb5:3.7
  • cpe:2.3:a:eyrie:pam-krb5:3.8
    cpe:2.3:a:eyrie:pam-krb5:3.8
  • cpe:2.3:a:eyrie:pam-krb5:3.9
    cpe:2.3:a:eyrie:pam-krb5:3.9
  • cpe:2.3:a:eyrie:pam-krb5:3.10
    cpe:2.3:a:eyrie:pam-krb5:3.10
  • cpe:2.3:a:eyrie:pam-krb5:3.11
    cpe:2.3:a:eyrie:pam-krb5:3.11
  • cpe:2.3:a:eyrie:pam-krb5:3.12
    cpe:2.3:a:eyrie:pam-krb5:3.12
CVSS
Base: 6.2 (as of 13-02-2009 - 13:21)
Impact:
Exploitability:
CWE CWE-287
CAPEC
  • Authentication Abuse
    An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker. This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the "Exploitation of Session Variables, Resource IDs and other Trusted Credentials" attack patterns.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Utilizing REST's Trust in the System Resource to Register Man in the Middle
    This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to place man in the middle once SSL is terminated. Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with an XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required. Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The attacker can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated. Once the attacker gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme.
  • Man in the Middle Attack
    This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never intercepted. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components.
Access
VectorComplexityAuthentication
LOCAL HIGH NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description pam-krb5 < 3.13 Local Privilege Escalation Exploit. CVE-2009-0360. Local exploit for linux platform
id EDB-ID:8303
last seen 2016-02-01
modified 2009-03-29
published 2009-03-29
reporter Jon Oberheide
source https://www.exploit-db.com/download/8303/
title pam-krb5 < 3.13 - Local Privilege Escalation Exploit
nessus via4
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS9_X86_115168.NASL
    description SunOS 5.9_x86: krb5, gss patch. Date this patch was last updated by Sun : Sep/14/10
    last seen 2018-09-01
    modified 2016-12-09
    plugin id 13620
    published 2004-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13620
    title Solaris 9 (x86) : 115168-24
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS9_112908.NASL
    description SunOS 5.9: krb5, gss patch. Date this patch was last updated by Sun : Sep/14/10
    last seen 2018-09-01
    modified 2016-12-09
    plugin id 13520
    published 2004-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13520
    title Solaris 9 (sparc) : 112908-38
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_X86_138372.NASL
    description SunOS 5.10_x86: mech_krb5.so.1 patch. Date this patch was last updated by Sun : Mar/24/09
    last seen 2018-09-01
    modified 2018-08-13
    plugin id 35208
    published 2008-12-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35208
    title Solaris 10 (x86) : 138372-06
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-719-1.NASL
    description It was discovered that pam_krb5 parsed environment variables when run with setuid applications. A local attacker could exploit this flaw to bypass authentication checks and gain root privileges. (CVE-2009-0360) Derek Chan discovered that pam_krb5 incorrectly handled refreshing existing credentials when used with setuid applications. A local attacker could exploit this to create or overwrite arbitrary files, and possibly gain root privileges. (CVE-2009-0361). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 36218
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=36218
    title Ubuntu 8.04 LTS / 8.10 : libpam-krb5 vulnerabilities (USN-719-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1721.NASL
    description Several local vulnerabilities have been discovered in the PAM module for MIT Kerberos. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-0360 Russ Allbery discovered that the Kerberos PAM module parsed configuration settings from environment variables when run from a setuid context. This could lead to local privilege escalation if an attacker points a setuid program using PAM authentication to a Kerberos setup under her control. - CVE-2009-0361 Derek Chan discovered that the Kerberos PAM module allows reinitialisation of user credentials when run from a setuid context, resulting in potential local denial of service by overwriting the credential cache file or to privilege escalation.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 35662
    published 2009-02-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35662
    title Debian DSA-1721-1 : libpam-krb5 - several vulnerabilities
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_138371.NASL
    description SunOS 5.10: mech_krb5.so.1 patch. Date this patch was last updated by Sun : Mar/24/09
    last seen 2018-09-01
    modified 2018-08-13
    plugin id 35197
    published 2008-12-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35197
    title Solaris 10 (sparc) : 138371-06
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200903-39.NASL
    description The remote host is affected by the vulnerability described in GLSA-200903-39 (pam_krb5: Privilege escalation) The following vulnerabilities were discovered: pam_krb5 does not properly initialize the Kerberos libraries for setuid use (CVE-2009-0360). Derek Chan reported that calls to pam_setcred() are not properly handled when running setuid (CVE-2009-0361). Impact : A local attacker could set an environment variable to point to a specially crafted Kerberos configuration file and launch a PAM-based setuid application to elevate privileges, or change ownership and overwrite arbitrary files. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 36027
    published 2009-03-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=36027
    title GLSA-200903-39 : pam_krb5: Privilege escalation
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1722.NASL
    description Derek Chan discovered that the PAM module for the Heimdal Kerberos implementation allows reinitialisation of user credentials when run from a setuid context, resulting in potential local denial of service by overwriting the credential cache file or to local privilege escalation.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 35663
    published 2009-02-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35663
    title Debian DSA-1722-1 : libpam-heimdal - programming error
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201412-08.NASL
    description The remote host is affected by the vulnerability described in GLSA-201412-08 (Multiple packages, Multiple vulnerabilities fixed in 2010) Vulnerabilities have been discovered in the packages listed below. Please review the CVE identifiers in the Reference section for details. Insight Perl Tk Module Source-Navigator Tk Partimage Mlmmj acl Xinit gzip ncompress liblzw splashutils GNU M4 KDE Display Manager GTK+ KGet dvipng Beanstalk Policy Mount pam_krb5 GNU gv LFTP Uzbl Slim Bitdefender Console iputils DVBStreamer Impact : A context-dependent attacker may be able to gain escalated privileges, execute arbitrary code, cause Denial of Service, obtain sensitive information, or otherwise bypass security restrictions. Workaround : There are no known workarounds at this time.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 79961
    published 2014-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79961
    title GLSA-201412-08 : Multiple packages, Multiple vulnerabilities fixed in 2010
oval via4
  • accepted 2015-04-20T04:02:26.843-04:00
    class vulnerability
    contributors
    • name Pai Peng
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Prashant Kumar
      organization Hewlett-Packard
    • name Mike Cokus
      organization The MITRE Corporation
    description Russ Allbery pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly initialize the Kerberos libraries for setuid use, which allows local users to gain privileges by pointing an environment variable to a modified Kerberos configuration file, and then launching a PAM-based setuid application.
    family unix
    id oval:org.mitre.oval:def:5669
    status accepted
    submitted 2009-04-07T11:48:37.000-04:00
    title HP-UX Running PAM Kerberos, Local Privilege Escalation, Unauthorized Access
    version 41
  • accepted 2009-05-11T04:00:21.367-04:00
    class vulnerability
    contributors
    name Pai Peng
    organization Hewlett-Packard
    definition_extensions
    • comment Solaris 8 (SPARC) is installed
      oval oval:org.mitre.oval:def:1539
    • comment Solaris 9 (SPARC) is installed
      oval oval:org.mitre.oval:def:1457
    • comment Solaris 10 (SPARC) is installed
      oval oval:org.mitre.oval:def:1440
    • comment Solaris 8 (x86) is installed
      oval oval:org.mitre.oval:def:2059
    • comment Solaris 9 (x86) is installed
      oval oval:org.mitre.oval:def:1683
    • comment Solaris 10 (x86) is installed
      oval oval:org.mitre.oval:def:1926
    description Russ Allbery pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly initialize the Kerberos libraries for setuid use, which allows local users to gain privileges by pointing an environment variable to a modified Kerberos configuration file, and then launching a PAM-based setuid application.
    family unix
    id oval:org.mitre.oval:def:5732
    status accepted
    submitted 2009-03-27T14:00:00.000-04:00
    title A Security Vulnerability in the Solaris Kerberos PAM Module May Allow Use of a User Specified Kerberos Configuration File, Leading to Escalation of Privileges
    version 31
refmap via4
bid 33740
bugtraq 20090211 pam-krb5 security advisory (3.12 and earlier)
confirm http://support.avaya.com/elmodocs2/security/ASA-2009-070.htm
debian DSA-1721
gentoo GLSA-200903-39
misc http://www.eyrie.org/~eagle/software/pam-krb5/security/2009-02-11.html
sectrack 1021711
secunia
  • 33914
  • 33917
  • 34260
  • 34449
sunalert 252767
ubuntu USN-719-1
vupen
  • ADV-2009-0410
  • ADV-2009-0426
  • ADV-2009-0979
statements via4
contributor Joshua Bressers
lastmodified 2009-02-13
organization Red Hat
statement Not vulnerable. This issue did not affect the versions of the pam_krb5 package, as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.
Last major update 07-03-2011 - 22:18
Published 13-02-2009 - 12:30
Last modified 11-10-2018 - 17:01
Back to Top