on CVE-2010-3435
70 packages can be updated. 35 updates are security updates.
/etc/motd.tail had gained these lines too. The fix (rm -f
/etc/motd.tail) was simple enough.
However, in the course of this investigation I noticed that /etc/update-motd.d
is basically a bunch of shell scripts that get run
Remembering that being able to inject some environment variables was always a
great way to break out of ‘restricted’ shells that were written in (ba)sh, I
set out to look at methods of influencing the environment these scripts would
be run in. .ssh/environment, .pam_environment and
OpenSSH’s SendEnv all turned out to be smart enough to only do
their work after update-motd was done, sadly. I was out of ideas.
The code of pam_env.so did tell me another interesting thing –
~/.pam_environment is opened and read as root, without any
dropping of privileges. This suggested that symlinking it to some unreadable
file (of the right format, i.e. consisting of VAR=value lines)
would compromise the data in that file.
A proof of concept was simple enough (newline inserted because my blog layout is too narrow):
root@vps6001:~# cat /etc/env2 ENV2=bla ... peter@vps6001:~$ ls -al .pam_environment lrwxrwxrwx 1 peter peter 9 May 12 22:13 .pam_environment -> /etc/env2 peter@vps6001:~$ ls -al /etc/env2 ---------- 1 root root 9 May 12 22:13 /etc/env2 peter@vps6001:~$ set | grep -i env ENV2=bla
/etc/mysql/debian.cnf, but that one has whitespace around the = characters.
Effective targets for this trick do exist. DirectAdmin (a commercial control
panel) stores MySQL login information in a suitable file, and many daemons
that support LDAP expect a password stored in a similar way. Also,
base64-encoded files (like SSL and ssh keys) that happen to need padding such
that they end in == expose their last line this way. I don’t know
what the mathematical implications of having the last few bits of a private
key are, but it can’t be good.
Some internet searching turned out that this issue was previously discovered by other people.
Ubuntu 10.04 and Debian 6 are still vulnerable to this issue. Debian has a report on file but has not acted on it yet. Ubuntu doesn’t seem to know at all.
I emailed security@ for both distributions, Debian responded within minutes pointing me to the report they already had. I’m waiting for a response from Ubuntu.
Workaround: add user_readenv=0 to /etc/pam.d.
Nice, well written report.
Comment by Axu — May 12, 2011 9:59:35 PM | # - re
When/if you get a response from Ubuntu, please make sure to add an update to this article. I’d like to hear about it and I know people and companies that currently use 10.04. People need to know.
You also may find the Ubuntu forums more helpful and are encouraged to report your findings to them.
Comment by Zoot Suit — May 16, 2011 5:50:37 AM | # - re
I have spoken to Ubuntu. More news to come.
Comment by peter — May 19, 2011 11:22:17 AM | # - re
For those monitoring this post: see 7bits.nl/blog/2011/05/30/from-symlinks-to-private-keys
Comment by peter — May 30, 2011 6:26:59 PM | # - re
[…] Een van onze developers heeft een proof of concept van een vulnerability in Debian 6 / Ubuntu 10.04 geleverd. Deze developer heeft gisteren als eerste bewezen dat deze […]
Pingback by Debian / Ubuntu Vulnerability « XLS Hosting Blog — May 31, 2011 4:06:13 PM | # - re