Red Hat has patched two vulnerabilities related to the “libuser” library, which could be exploited by a local attacker to escalate privileges to root.
The libuser library provides an interface for manipulating and managing user and group accounts. The package is installed by default in Red Hat Enterprise Linux (RHEL) and other Linux distributions derived from the Red Hat codebase.
The vulnerabilities were discovered and reported by researchers at security firm Qualys, who published a proof-of-concept (PoC) on Thursday to show how the flaws can be exploited.
The first security hole, which Red Hat has classified as having “important” impact, is a race condition vulnerability (CVE-2015-3246). The issue is related to the fact that libuser modifies the /etc/passwd file directly, unlike other programs (e.g. passwd, chfn, chsh) which work on a temporary copy of file that is later renamed. If something goes wrong when changes are made to the file, libuser could leave /etc/passwd in an inconsistent state, which can lead to a denial-of-service (DoS) condition.
The second vulnerability, rated “moderate,” affects the userhelper utility, which provides a basic interface for changing a user’s password, GECOS information, and shell.
The bug is caused by the fact that the chfn function in userhelper does not properly filter out newline characters (CVE-2015-3245).
“The chfn function implemented by the userhelper utility verified that the fields it was given on the command line were valid (that is, contain no forbidden characters),” Red Hat explained in its advisory. “Unfortunately, these forbidden characters (:,=) did not include the \n character and allowed local attackers to inject newline characters into the /etc/passwd file and alter this file in unexpected ways.”
Just like CVE-2015-3246, this vulnerability can be exploited for DoS attacks. However, an attacker can combine CVE-2015-3245 and CVE-2015-3246 to achieve local privilege escalation to the root user.
Red Hat noted that while the userhelper utility is part of the usermode package, the vulnerability has been addressed with an update to the libuser library. The flaw has been patched by ensuring that libuser forbids the \n character.
“userhelper depends on libuser to modify /etc/passwd, and libuser’s format_generic() and generic_setpass() functions reject fields containing a ‘:’ that would be interpreted as a field separator. [CVE-2015-3245] could have been prevented if libuser had also rejected ‘\n’ characters,” Qualys explained in its own advisory.
The vulnerabilities affect all versions of the libuser library included in RHEL 6 and 7. Users are advised to install the updated libuser packages.
Debian has also published advisories for CVE-2015-3245 and CVE-2015-3246, but patches are not available.