Skip Menu |
 

From: Dhiraj Mishra <mishra.dhiraj95@gmail.com>
Date: Thu, 26 Jul 2018 22:08:51 +0530
Subject: racecondition in posix platformAccess code path
To: krb5-bugs@mit.edu
Dear Team,

File: localauth_k5login.c#L110

I believe this indicates a security flaw, If an attacker can change anything along the path between the call access() and the files actually used, attacker may exploit the race condition or a time-of-check, time-of-use race condition, request team to please have a look and validate. 


Thank you

--
Regards
Dhiraj Mishra.
GPG ID :  51720F56   |  Finger Print : 1F6A FC7B 05AA CF29 8C1C  ED65 3233 4D18 5172 0F56
How would an attacker gain access to the path to a user's home
directory? The path to .k5login can alternatively be configured via
[libdefaults] k5login_directory, but it seems very unlikely that an
administrator would set that path to something underneath /tmp or
similar.

Also, what would be the adverse security impact of making the .k5login
appear to exist at one moment but then be unopenable when the code
tries to open it? It seems like that would just cause the localauth
operation to deny access.

I moderated this through because I don't think there is actually a
security issue, but please use krbcore-security@mit.edu to report bugs
which you believe are exploitable.