[Bug 610125]

[Jamie Strandboge]

Thank you for reporting this bug to Ubuntu. natty has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against natty is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

** Changed in: pam (Ubuntu Natty)
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/610125

Title:
  pam_motd runs commands as root with unsanitised environment

Status in “pam” package in Ubuntu:
  Triaged
Status in “pam” source package in Lucid:
  Triaged
Status in “pam” source package in Maverick:
  Won't Fix
Status in “pam” source package in Natty:
  Won't Fix
Status in “pam” source package in Oneiric:
  Triaged
Status in “pam” source package in Precise:
  Triaged

Bug description:
  ii  libpam-modules                       1.1.1-2ubuntu5
  Pluggable Authentication Modules for PAM

  (lucid amd64)

  pam_motd calls the scripts in /etc/update-motd.d/ as root without
  sanitising the environment. While that is acceptable when called for
  instance by sshd or by getty through login where the environment
  should be controlled, it becomes an issue if for instance "session
  optional   pam_motd.so" is added to /etc/pam.d/su

  With that done, a user can simply update his $PATH to look first in a
  directory that contains malicious replacements for commands called by
  the /etc/update-motd.d/ scripts (for instance "uname" called by
  00_header).

  pam_motd should perform the same kind of sanitisation as pam_exec, or
  even better not do the run-part /etc/update-motd.d/ at all but add
  some pam_exec calls to the pam configuration.

  That issue is made worse by the fact that the running of those scripts
  by pam_motd is not documented.

  [SRU JUSTIFICATION]
  IMPACT
  This bug affects those who might have manually modified their PAM configuration to add something like "session    optional   pam_motd.so" to a pam configuration in pam.d, such as /etc/pam.d/su, where the user controls the environment prior to executing the PAM stack.  If so, the user can elevate her privileges to root by simply modifying her PATH to look in a directory that contains a malicious replacement for any of the programs called by the shell scripts in /etc/update-motd.d, such as 'uname'.  Note that default Ubuntu installs are NOT affected, as pam_motd only runs in sshd and login PAM stacks, where the environment is already well controlled.

  HOW ADDRESSED
  The bug is trivially fixed by wrapping the run-parts shell call with an env -i, which clears the entire environment, and manually sets the PATH variable (to the same value lifted from /etc/login.defs.

  PATCH
  See the patch attached to this bug.  It applies equally to all of the affected Ubuntu versions.

  REPRODUCE INSTRUCTIONS
  To test, add $HOME/bin to the path of non-root user 'kirkland'.  Add a shell script, $HOME/bin/uname which does a "date >> /root/howdy". I then add "session optional pam_motd.so" to the end of /etc/pam.d/su.  Before installing patched pam, su and definite see the file /root/howdy created (verifying the vulnerability). After applying and installing patched pam, you should not see /root/howdy created.

  REGRESSION POTENTIAL
  As far as I could tell, the rest of the update-motd part of pam_motd seemed to work correctly without regression.  In the absolute worst case, /etc/motd might not be updated correctly, which is obviously not ideal, but hardly critical functionality to system operation.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/610125/+subscriptions