MNBSD-2011-5: PAM does not validate service names, allowing escape from the policy path

Severity: Unknown

Affected Package: pam

Summary: PAM does not validate service names, allowing escape from the policy path

Description

pam_start() does not validate the service name, so a caller can supply a name containing path separators and escape the intended PAM policy directory. This can be exploited by unprivileged local users through set-user-ID PAM applications (for example in KDE) to load an attacker-controlled policy and gain elevated privileges.

Affected Versions

pam

Recommendations

No specific recommendations provided.

References

Additional Information

Aliases: CVE-2011-4122

Published: December 23, 2011
Last Modified: December 23, 2011