---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: pam-krb5 File Overwrite and Privilege Escalation SECUNIA ADVISORY ID: SA33914 VERIFY ADVISORY: http://secunia.com/advisories/33914/ CRITICAL: Less critical IMPACT: Manipulation of data, Privilege escalation WHERE: Local system SOFTWARE: pam-krb5 3.x http://secunia.com/advisories/product/21379/ DESCRIPTION: Some vulnerabilities have been reported in pam-krb5, which can be exploited by malicious, local users to overwrite files and to gain escalated privileges. 1) An error exists due to pam-krb5 not using the correct API for initialising the Kerberos libraries in a setuid context. This can be exploited to bypass authentication checks in setuid applications that use PAM for authentication by specifying the Kerberos configuration via environment variables. 2) An error exists in "pam_setcred" when being invoked with "PAM_REINITIALIZE_CREDS" or "PAM_REFRESH_CREDS" by a setuid application without first calling "PAM_ESTABLISH_CREDS" or dropping privileges (e.g. "su" in Solaris 10). This can be exploited to overwrite and chown a file specified via the "KRB5CCNAME" environment variable. The vulnerabilities are reported in versions prior to 3.13. SOLUTION: Update to version 3.13. PROVIDED AND/OR DISCOVERED BY: 1) Reported by the vendor. 2) The vendor credits Derek Chan. ORIGINAL ADVISORY: http://www.eyrie.org/~eagle/software/pam-krb5/security/2009-02-11.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------