PADL Software Pty Ltd
|
Local Format String Vulnerability in pam_ldap A local format string vulnerability has been found in pam_ldap. The vulnerability was reported in Blackshell Advistory #5, and was introduced in pam_ldap-80 along with support for runtime selectable LDAP configuration files (a third party contribution). It cannot be exploited remotely. Versions prior to pam_ldap-80 and subsequent to pam_ldap-143 are not vulnerable. Contrary to reports, the nss_ldap module is not affected by this bug (confusingly, pam_ldap is sometimes distributed by vendors in the same package as nss_ldap). To exploit this vulnerability, one would have to embed a format string in the PAM configuration stanza for pam_ldap (either in /etc/pam.conf or a file within /etc/pam.d). These configuration files should never be writable by a non-privileged user, so it is highly unlikely that such an exploit could be used to elevate privilege in a typical installation. (Were the PAM configuration writable by a non-privileged user, an arbitrary module could be inserted in the PAM stack, presenting a much simpler means of elevating privilege.) More information on vulnerabilities and exposures in PADL open source software is available here. This vulnerability has been assigned CVE number CAN-2002-0374. Patches This vulnerability was corrected in pam_ldap-144; see bug #90. The current version of pam_ldap is available by FTP, or HTTP. RedHat users should see advisory RHSA-2002-084. Alternatively, you may apply the following patch: Index: pam_ldap.c if (_alloc_config (presult) != PAM_SUCCESS) |