CVE-2008-0887

First published: Mon Mar 03 2008(Updated: )

Description of problem: If a RHEL5.1 GNOME desktop is locked, and the authentication method is NIS, anyone can unlock the screen with no passwd if the network connection to the NIS disappears or the NIS server is not available. How reproducible: Every time. Steps to Reproduce: 1. Configure machine to be NIS server per: <a href="http://kbase.redhat.com">http://kbase.redhat.com</a> /faq/FAQ_43_5684.shtm 2. Configure a NIS client using system-config-authentication 3. Login to GNOME desktop with NIS-only user. 4. Lock the screen 5. Stop the NIS server (customer disconnected network cable in his test) 6. Press return in lock window. Press cancel. 7. Screen unlocks with no passwd prompt. Actual results: Broke in. Expected results: Screen should stay locked as there is no way to validate the user who is logged in. Additional info: Similar bug on RHEL4: <a href="https://bugzilla">https://bugzilla</a>. redhat.com/show_bug.cgi?id=237003 A similar bug was fixed on RHEL5: * Sun Oct 15 2006 Ray Strode <rstrode> - 2.16.0-13.el5 - lock screen immediately if login security token was removed before startup (<a class="bz_bug_link bz_secure " title="" href="show_bug.cgi?id=210411">bug 210411</a>) Customer tested gnome-screensaver-2.16.1-6.el5 from FastTrack channel but had same results. Log file from his gnome-screensaver session attached. Supporting Materials: Description of how to reproduce, log from gnome-screensaver. I've reproduced this on F8 and RHEL 5.1 as well, a sosreport is currently being generated from my RHEL 5.1 guest. More Info:ore info... The problem might be on any of the calls to getpwnam(): File Function Line 0 fusa-manager.c fusa_manager_get_user 2272 pwent = getpwnam (username); 1 gs-auth-pam.c gs_auth_verify_user 651 pwent = getpwnam (username); 2 gs-auth-pwent.c get_encrypted_passwd 143 struct passwd *p = getpwnam (user); 3 setuid.c hack_uid 223 p = getpwnam ("nobody"); 4 setuid.c hack_uid 224 if (! p) p = getpwnam ("noaccess"); 5 setuid.c hack_uid 225 if (! p) p = getpwnam ("daemon"); Test program gets this error: #include <sys/types.h> #include <pwd.h> #include <stdlib.h> #include <stdio.h> int main(char argc, char *argv[]) { if (!getpwnam("rickb")) printf("error"); } ./getpwnam do_ypcall: clnt_call: RPC: Unable to receive; errno = Connection refused YPBINDPROC_DOMAIN: Domain not bound If NIS is down. If those calls to getpwent() don't handle a NULL properly, we could be in trouble if the return values are undefined. Additional info: Problem may be that gnome-screenaver-dialog is exiting abnormally. If you attach with gdb to this process and set a breakpoint on exit, continue, then shutdown the NIS server, you get this stack trace: Program received signal SIGTERM, Terminated. [Switching to Thread 46912496279280 (LWP 10062)] 0x00000038cb40dd4d in raise () from /lib64/libpthread.so.0 (gdb) bt #0 0x00000038cb40dd4d in raise () from /lib64/libpthread.so.0 #1 0x000000000040e529 in g_cclosure_marshal_VOID__OBJECT () #2 0x0000000000408889 in g_cclosure_marshal_VOID__OBJECT () #3 0x00000038cd42cf44 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0 #4 0x00000038cd42fd7d in g_main_context_check () from /lib64/libglib-2.0.so.0 #5 0x00000038cd43008a in g_main_loop_run () from /lib64/libglib-2.0.so.0 #6 0x00000038d712aad3 in gtk_main () from /usr/lib64/libgtk-x11-2.0.so.0 #7 0x00000000004085c1 in g_cclosure_marshal_VOID__OBJECT () #8 0x00000038ca81d8a4 in __libc_start_main () from /lib64/libc.so.6 #9 0x00000000004082d9 in g_cclosure_marshal_VOID__OBJECT () #10 0x00007ffff53660e8 in ?? () #11 0x0000000000000000 in ?? () (gdb) info thread 2 Thread 1084229952 (LWP 10063) 0x00000038ca8c5d16 in poll () from /lib64/libc.so.6 * 1 Thread 46912496279280 (LWP 10062) 0x00000038cb40dd4d in raise () from /lib64/libpthread.so.0 Once this happens, the process terminates.

Credit: secalert@redhat.com

Affected Software	Affected Version	How to fix
GNOME screensaver	<=2.20.0

CVE-2008-0887

Never miss a vulnerability like this again

Reference Links

Company

Resources

Contact