• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Paul Jarc cvmlogin Privilege Elevation Vulnerability

'cvmlogin' is an implementation of the Unix 'login' utility that implements the CVM framework. It is developed by developed by Paul Jarc. 'cvmlogin' contains a vulnerability that can be exploited to gain root privileges.

'cvmlogin' relies on a program called 'setstate' to set userid and execute the user shell. 'setstate' relies on the 'UID' environment variable, set by 'cvmlogin', for the user's userid. 'cvmlogin' fails to catch memory allocation errors when setting the 'UID' variable in the environment for 'setstate'.

It may be possible for users to have 'setstate' inherit a user-supplied 'UID' environment variable. A resource exhaustion attack would be required to cause 'cvmlogin' to fail when attempting to set the 'UID' (or any other) variable in the environment for 'setstate'. If 'UID' (or any other) exists and the attempt to set a new value fails, the existing one will be included in the environment for 'setstate'.

If an attacker can cause 'setstate' to inherit an arbitrary 'UID' environment variable, root access can be obtained.

If 'cvmlogin' is installed setuid root, this vulnerability may be exploitable locally. This may also be exploitable through telnet daemons.

This vulnerability is only exploitable by an attacker who can successfully authenticate on the target host.