MLDonkey: Privilege escalation

2007-10-24T00:00:00
ID GLSA-200710-25
Type gentoo
Reporter Gentoo Foundation
Modified 2007-11-07T00:00:00

Description

Background

MLDonkey is a peer-to-peer filesharing client that connects to several different peer-to-peer networks, including Overnet and BitTorrent.

Description

The Gentoo MLDonkey ebuild adds a user to the system named "p2p" so that the MLDonkey service can run under a user with low privileges. With older Portage versions this user is created with a valid login shell and no password.

Impact

A remote attacker could log into a vulnerable system as the p2p user. This would require an installed login service that permitted empty passwords, such as SSH configured with the "PermitEmptyPasswords yes" option, a local login console, or a telnet server.

Workaround

See Resolution.

Resolution

Change the p2p user's shell to disallow login. For example, as root run the following command:

 # usermod -s /bin/false p2p

NOTE: updating to the current MLDonkey ebuild will not remove this vulnerability, it must be fixed manually. The updated ebuild is to prevent this problem from occurring in the future.