Vulnerability Name:

CVE-2011-4122 (CCN-71205)

Assigned:2011-11-08
Published:2011-11-08
Updated:2017-08-29
Summary:Directory traversal vulnerability in openpam_configure.c in OpenPAM before r478 on FreeBSD 8.1 allows local users to load arbitrary DSOs and gain privileges via a .. (dot dot) in the service_name argument to the pam_start function, as demonstrated by a .. in the -c option to kcheckpass.
CVSS v3 Severity:9.3 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:6.9 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C)
5.4 Medium (Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
6.9 Medium (CCN CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C)
5.4 Medium (CCN Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-22
Vulnerability Consequences:Gain Privileges
References:Source: CCN
Type: C skills Web site
openpam trickery

Source: MISC
Type: Exploit
http://c-skills.blogspot.com/2011/11/openpam-trickery.html

Source: MITRE
Type: CNA
CVE-2011-4122

Source: CCN
Type: NetBSD-SA2011-008
OpenPAM privilege escalation

Source: MLIST
Type: UNKNOWN
[oss-security] 20111207 Disputing CVE-2011-4122

Source: MLIST
Type: UNKNOWN
[oss-security] 20111208 Re: Disputing CVE-2011-4122

Source: OSVDB
Type: UNKNOWN
76945

Source: CCN
Type: SA46756
OpenPAM Service Name Privilege Escalation Security Issue

Source: SECUNIA
Type: Vendor Advisory
46756

Source: CCN
Type: SA46804
FreeBSD OpenPAM Privilege Escalation Security Issue

Source: SECUNIA
Type: Vendor Advisory
46804

Source: CCN
Type: SA47236
NetBSD OpenPAM Privilege Escalation Security Issue

Source: MISC
Type: UNKNOWN
http://stealth.openwall.net/xSports/pamslam

Source: CCN
Type: OpenPam Web site
OpenPAM

Source: CONFIRM
Type: UNKNOWN
http://trac.des.no/openpam/changeset/478/trunk/lib/openpam_configure.c

Source: CCN
Type: FreeBSD Web site
The FreeBSD Project

Source: CCN
Type: OSVDB ID: 76945
OpenPAM Pam Services Traversal Local Privilege Escalation

Source: CCN
Type: OSVDB ID: 78281
kcheckpass pam_start Function PAM Service Name Parsing Local Issue

Source: CCN
Type: BID-50607
OpenPAM 'pam_start()' Local Privilege Escalation Vulnerability

Source: XF
Type: UNKNOWN
openpam-Pamstart-privilege-escalation(71205)

Source: XF
Type: UNKNOWN
openpam-Pamstart-privilege-escalation(71205)

Vulnerable Configuration:Configuration 1:
  • cpe:/o:freebsd:freebsd:8.1:-:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:netbsd:netbsd:4.0:*:*:*:*:*:*:*
  • OR cpe:/o:freebsd:freebsd:8.1:-:*:*:*:*:*:*
  • OR cpe:/o:freebsd:freebsd:7.3:-:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    freebsd freebsd 8.1
    netbsd netbsd 4.0
    freebsd freebsd 8.1 -
    freebsd freebsd 7.3 -