[Am-info] Kerberos 5 su Privilege Escalation Vulnerability
Fred A. Miller
fm@cupserv.org
Mon, 28 Jan 2002 14:23:43 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kerberos 5 su Privilege Escalation Vulnerability
BugTraq ID: 3919
Remote: No
Date Published: Jan 21 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3919
Summary:
Kerberos 5 includes a version of 'su', a utility that can be used by a
user to change user-identity while logged in. This utility is known as
'k5su'.
A vulnerability in k5su may allow for a local user to elevate privileges
under certain circumstances. When root runs 'k5su', no password should
be required to switch to arbitrary userids. The user running k5su is
determined by the output of getlogin(), a function which returns the
username associated with the process' controlling terminal.
If the username 'root' is returned, the program functions as though root
is using it and does not request passwords. Under certain
circumstances, users may have 'root' returned by getlogin(). This may
occur if their username is explicitly set to 'root' or if a process
lowers privileges but does not set a new login name via setlogin().
On such systems, k5su would act as though root were running it and not
prompt for a password. Exploitation of this vulnerability may result in
a compromise of root access to local attackers.
- --
Fred A. Miller
Systems Administrator
Cornell Univ. Press Services
fm@cupserv.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8VaU/IhTtc6nTZIIRAv0UAJ4+dNqIabQeFSvA+KcWAmXVmCMTnQCfXFTh
h6l+8MciGUK7bJByLeY9uiw=
=SukG
-----END PGP SIGNATURE-----