February 28th, 2003, 11:03 PM
RH 8 local root vulnerability
While 'playing' with my recently installed RedHat 8 I discovered a big security leak, this was 1 month ago.
28 january 2002, 22.00h Standard European time. to be correct
I notified RedHat immediatly after speaking with MsMittens in the AO chatroom. She added some nice possible applications of the bug, I tested those and they worked. So the bug was more dangerous then on first sight.
Enough background info... what's the problem?
Well, people using RedHat 8.0 and X with Gnome should have noticed that they can use the new Redhat authentication tool with the key icon in the notify menu. (that displays the hour and stuff) the so called: Tray icons in Windows. Redhat made it possible to change something while not logged in as root in the graphical shell and becoming root. If you want to do something you need to be root for, RedHat asks for a password. If the correct password is given, RedHat creates the key icon in the tray so you don't need to type the password al the time. With other words admins can easily change some basic settings using the graphical shell and users account. The key icon stays there until it times out or you disable it. And now comes the problem. When the root person logs off the X shell (ran by the normal user), and the normal user logs back in -> tada -> the key icon is still there !!!!! boom root access for that particular user in all the graphical RedHat environnement. Cause RH mad eit possible to add users and groups from there, a smart user can create another user with root permisses and give his new root user not only a local backdoor but also a remote access. w00t. remote root exploit created.
So my main solution for this error: make sure whenever you use root that you disable the key icon in the tray.
My email to RedHat:
There's a possible root vulnerability using Gnome in Redhat 8.0 (Psyche) Kernel 2.4.18-14, Gnome 2
It's related to the new RedHat 8.0 Authentication function.
The problem is that when you log in as a normal user and after that an admin / root user changes something on the box using the authentication function, the keys icon is in the tray. If the admin then logs out without choosing "forget authorisation" and the normal user logs back in, the keys are still there.
In other words: in that case a normal user has local root access without providing the root password.
steps to reproduce:
1) login as a normal user in the full GUI
2) a root user changes some settings using the new authentication function (the keys appear in the system tray)
3) he logs out without clicking on the keys icon and choosing "forget authorisation"
4) log in as the normal user from step 1
5) you have root priviliges in Gnome (the keys are still in the tray)
It seems that the default is "keep authorisation" when IMHO it should be forget authorisation when you log out.
I hope this mail makes clear what the bug is, otherwise feel free to contact me.
Their response so far:
Hi Victor, thanks for contacting us.
This is a quick note to say that we received your report and that we'll
take a look at it this week. Once we've investigated we'll get back to
-- Mark J Cox / Security Response Team / Red Hat
--> to the people from redhat, this is by no means an attack to redhat or something similar, I know you people are working hard to solve all kinds of probs, and I appreciate the fast email back I got. It seems however that a solution is not to be expected to fast and therefor I wanted to drop this vulnerability warning to the admins out there mainly because of the simplicity to use this.
However a Skriptkiddie can do nothing with this, cause you need to first have the luck that an admin logs out with your account after a root authentication in redhat 8.0 graphical desktop.
February 28th, 2003, 11:07 PM
While a scriptkiddie can do nothing to cause it, an admin who is unaware of the effect of using the "runas" features in the GUI will be caught with his proverbial pants down. A few weeks ago I tested that bug in the Unix Club and was amazed as to how easy it is. What bugs me is that RH could have easily changed the code so that it asks, after the task is done, whether credentials remain or not.
Good work on your part, Victor, for finding it. I'm sorry to hear that RH hasn't looked into this being a serious flaw.
February 28th, 2003, 11:23 PM
Yep, I hope they are looking into it.
It's really some default thingie they need to change...
And btw for all the 'AO people', this is AO exclusive news.
March 1st, 2003, 12:12 PM
This seems to be some important local issue. I tried it and yes you can easily get root powers with a normal account and create yourself a root user for later use.
Anyway, I like the new RedHat, it looks very nice, is easy to install, comes with lot's of tools and programs and does what you want it to do.
March 1st, 2003, 12:13 PM
i do see how this can be a big problem. once you know about it however then there is no more problem, unless you forget one day before you log off.
i don't know how hard it is, but can't the code be changed so that "forget authorisation" is default? wouldn't this be an easy fix?
March 1st, 2003, 12:18 PM
Yes, it looks like an easy fix to add in a patch or new release, just change it to ask always wether to keep or forget authorisation. But either it's not that easy to fix like we think or either RedHat does not bother... there's still no solution. It's probably not that easy to fix?
March 1st, 2003, 06:28 PM
i know this is a stupid question, but if your root, how do you create another "root" account? I thought there can only be one root account..? And there certainly can't be another account with the same name..
Either get busy living or get busy dying.
-The Sawshank Redemption
March 1st, 2003, 09:01 PM
Not with the same name. With the same privileges. Basically I can create an account called MsMittens and give it a UID and GID of 0. Some systems come with a "toor" account installed already like the one I noticed in my FreeBSD 4.7 box.
March 2nd, 2003, 10:33 AM
Yep Yanksfan like MsMittens said, when I type root, I mean an account with root powers meaning UID, GID of 0. Offcourse you cannot make 2 accounts with the same name 'root'.
It's also true that you cannot get into the root account itself using the vulnerability I explained. You do not get root like logging in as user root. No the point is that you can get root powers and therefor root access without being root. After you accomplished that you can easily add a new user with the add users and groups utility in the RedHat gnome and give that user UID 0 so making that user powerfull as root. When you do that you can access everything on the system and make it remote vulnerable too.
March 8th, 2003, 04:21 AM
Unfortunately, RedHat seems to be slow on a lot of fronts recently. I got an email from a friend a week or two ago referring to a problem with tcpdump. Apparently RedHat has already released a patch for their Advanced series, but they've been dragging their feet and leaving the rest of us hanging out to dry for a while.