Vulnerability Name:

CVE-2002-1160 (CCN-11254)

Assigned:2003-02-03
Published:2003-02-03
Updated:2016-10-18
Summary:The default configuration of the pam_xauth module forwards MIT-Magic-Cookies to new X sessions, which could allow local users to gain root privileges by stealing the cookies from a temporary .xauth file, which is created with the original user's credentials after root uses su.
CVSS v3 Severity:9.3 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:7.2 High (CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
7.2 High (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-Other
Vulnerability Consequences:Gain Privileges
References:Source: MITRE
Type: CNA
CVE-2002-1160

Source: CONECTIVA
Type: UNKNOWN
CLA-2003:693

Source: BUGTRAQ
Type: UNKNOWN
20021214 BDT_AV200212140001: Insecure default: Using pam_xauth for su from sh-utils package

Source: CCN
Type: BugTraq Mailing List, 2002-12-14 4:48:28
BDT_AV200212140001: Insecure default: Using pam_xauth for su from sh-utils package

Source: CCN
Type: RHSA-2003-028
pam security update

Source: CCN
Type: RHSA-2003-035
Updated PAM packages fix bug in pam_xauth module

Source: CCN
Type: Sun Alert ID: 55760
Sun Linux 5.0 Vulnerability in pam_xauth(8) Module May Allow Forwarding of Root Authorization to Unprivileged Users

Source: SUNALERT
Type: UNKNOWN
55760

Source: CCN
Type: CIAC Information Bulletin N-045
Red Hat Updated PAM packages fix bug in pam_xauth Module

Source: XF
Type: Vendor Advisory
linux-pamxauth-gain-privileges(11254)

Source: CCN
Type: US-CERT VU#911505
pam_xauth may insecurely forward X MIT-Magic-Cookies to new sessions

Source: CERT-VN
Type: Third Party Advisory, US Government Resource
VU#911505

Source: CCN
Type: Conectiva Linux Security Announcement CLA-2003:693
pam

Source: MANDRAKE
Type: UNKNOWN
MDKSA-2003:017

Source: REDHAT
Type: UNKNOWN
RHSA-2003:028

Source: REDHAT
Type: UNKNOWN
RHSA-2003:035

Source: BID
Type: UNKNOWN
6753

Source: CCN
Type: BID-6753
PAM pam_xauth Module Unintended X Session Cookie Access Vulnerability

Source: XF
Type: UNKNOWN
linux-pamxauth-gain-privileges(11254)

Vulnerable Configuration:Configuration 1:
  • cpe:/o:redhat:linux:7.1:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:7.2:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:7.3:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:8.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:redhat:linux:7:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:7.1:*:*:*:*:*:*:*
  • OR cpe:/a:mandrakesoft:mandrake_single_network_firewall:7.2:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:8.1:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:7.2:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:8.2:*:*:*:*:*:*:*
  • OR cpe:/o:conectiva:linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:7.3:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:mandrakesoft:mandrake_multi_network_firewall:8.2:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:2.1:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:ws:*:*:*:*:*
  • OR cpe:/o:redhat:linux_advanced_workstation:2.1:*:itanium:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:8.1:*:ia64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:8.2:*:ppc:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    redhat linux 7.1
    redhat linux 7.2
    redhat linux 7.3
    redhat linux 8.0
    redhat linux 7
    redhat linux 7.1
    mandrakesoft mandrake single network firewall 7.2
    mandrakesoft mandrake linux 8.1
    redhat linux 7.2
    mandrakesoft mandrake linux 8.2
    conectiva linux 8.0
    redhat linux 7.3
    redhat linux 8.0
    mandrakesoft mandrake linux 9.0
    mandrakesoft mandrake multi network firewall 8.2
    mandrakesoft mandrake linux corporate server 2.1
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    redhat linux advanced workstation 2.1
    mandrakesoft mandrake linux 8.1
    mandrakesoft mandrake linux 8.2