OpenSSH PAM Session Evasion Vulnerability

When OpenSSH is used in an environment using PAM, it may be possible for local users to evade restrictions enforced by PAM modules (such as rlimits).

A PAM session is not initiated by OpenSSH when commands are executed in an 'rsh' manner (no pty).

Some systems may rely on PAM to implement system restrictions, such as resource limits on processes. This vulnerability may allow remote users to bypass these restrictions.


 

Privacy Statement
Copyright 2010, SecurityFocus