Security hole in pam_krb5-1.0.3

James F.Hranicky jfh at
Mon Feb 10 11:54:31 EST 2003

It appears I've stumbled across a security hole in pam_krb5-1.0.3 . This occurs
in the latest cvs found at

	pserver:anonymous at

When I use the module above on a Solaris 8 machine, I get the following 

  <jfh at waterspout:/cise/sys/src0/jfh/kerberos/pam_krb5-1.0> 1876 : su - jfhmtest
  Password for jfhmtest at CISE.UFL.EDU: 
  waterspout% id
  uid=0(root) gid=50(stdnt) euid=7048(jfhmtest)

The uid of the target user is 0, instead of 7048 . 

When I use the original Cusack module, everything works normally:

  <jfh at waterspout:/cise/sys/src0/jfh/kerberos/pam_krb5-1.0> 1874 : su - jfhmtest
  Password for jfhmtest at CISE.UFL.EDU: 
  waterspout% id
  uid=7048(jfhmtest) gid=50(stdnt)

I tracked the problem down to the following line in the 1.0.3 version:

  support.c:239: if ((ret = setreuid(state->c_ucred->cr_uid, pw->pw_uid)) != 0) {

I've verified the value of 'state->c_ucred->cr_uid' is indeed 0. If the line is
changed to

  support.c:239: if ((ret = setreuid(pw->pw_uid, pw->pw_uid)) != 0) {

the problem does not occur. A small sample program shows the trivial exploit:

  % cat s.c
  #include <stdio.h>

  int main(int argc, char **argv) { 
      printf("uid %d euid %d\n", getuid(), geteuid());
      system("touch /tmp/newfile");
      system("ls -l /tmp/newfile");

  % ./s
  uid 0 euid 0
  -rw-r--r--   1 root     stdnt          0 Feb  5 12:13 /tmp/newfile

Attached is my pam.conf, just in case I've made a mistake in setting things up.

| Jim Hranicky, Senior SysAdmin                   UF/CISE Department |
| E314D CSE Building                            Phone (352) 392-1499 |
| jfh at             |
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pam.conf.txt

More information about the Kerberos mailing list