Title: Paul Jarc cvmlogin Privilege Elevation Vulnerability
Severity: HIGH
Description:
'cvmlogin' is an implementation of the Unix 'login' utility that implements the CVM framework. It is developed by Paul Jarc.
'cvmlogin' contains a vulnerability that can be exploited to gain root privileges.
After a user has authenticated using 'cvmlogin', another utility called 'setstate' executes the user's shell. 'setstate' is executed using the pathexec() functionality from Dan J. Bernstein's unix library.
The 'setstate' utility depends on environment variables set by 'cvmlogin' for user properties such as the user's uid and shell. These environment variables are set by 'cvmlogin' using the pathexec_env() function.
'cvmlogin' does not check the return value of pathexec_env(). If there is a shortage of memory, pathexec_env() will fail and not set the desired environment variable in the environment for 'setstate'.
If the 'UID' environment variable exists before 'cvmlogin' attempts to set it and is inherited by 'setstate', 'setstate' will setuid to the value of 'UID' before executing the user shell.
If 'cvmlogin' is installed setuid root, this vulnerability may be exploitable locally. This may also be exploitable through telnet daemons.
This vulnerability is only exploitable by an attacker who can successfully authenticate on the target host.
Affected Products:
- Paul Jarc idtools 2001.5.31
- Paul Jarc idtools 2001.6.8
References:
- Paul Jarc: idtools Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
