[Secure-testing-team] Bug#793465: DoS and privilege escalation by local users (CVE-2015-3245 and CVE-2015-3246)

Luca Bruno lucab at debian.org
Fri Jul 24 10:05:17 UTC 2015 

Source: libuser
Version: 1:0.56.9.dfsg.1-1.2
Severity: grave
Tags: security upstream patch

During a code audit by Qualys, multiple libuser-related vulnerabilities 
were discovered that can allow local users to perform denial-of-service and
privilege-escalation attacks:

- Race condition in password file update (CVE-2015-3246, Important)

A flaw was found in the way the libuser library handled the /etc/passwd file.
Even though traditional programs like passwd, chfn, and chsh work on a
temporary copy of /etc/passwd and eventually use the rename() function to
rename the temporary copy, libuser modified /etc/passwd directly.
Unfortunately, if anything went wrong during these modifications,
libuser may have left/etc/passwd in an inconsistent state.

This behavior could result in a local denial-of-service attack; in addition,
when combined with a second vulnerability (CVE-2015-3245, described below),
it could result in the escalation of privileges to the root user.

- Lack of validation of GECOS field contents (CVE-2015-3245, Moderate)

It was found that the chfn function of the userhelper utility did not properly
filter out newline characters. The chfn function implemented by the userhelper
utility verified that the fields it was given on the command line were valid
(that is, contain no forbidden characters).
Unfortunately, these forbidden characters (:,=) did not include the \n character
and allowed local attackers to inject newline characters into the /etc/passwd
file and alter this file in unexpected ways.
A local attacker could use this flaw to corrupt the /etc/passwd file,
which could result in a denial-of-service attack on the system.



Both issues have been fixed upstream, and shipped in relase 0.62.
Please mention the CVE numbers in the changelog when fixing the issue.

References:
 * RedHat security bulletin
   https://access.redhat.com/articles/1537873
 * PoC
   http://www.openwall.com/lists/oss-security/2015/07/23/16
 * libuser 0.62 changelog
   https://fedorahosted.org/libuser/browser/NEWS?rev=libuser-0.62
 * Fixing commit
   https://fedorahosted.org/libuser/changeset/d73aa2a5a9ce5bdd349dff46e3e4885f2b194a95/


Cheers, Luca

More information about the Secure-testing-team mailing list