CVE-2015-3245
published 2015-08-11CVE-2015-3245: Incomplete blacklist vulnerability in the chfn function in libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode…
PriorityP418low2.1CVSS 2.0
AVLACLAuNCNINAP
EXPLOIT
EPSS
5.32%
91.6th percentile
Incomplete blacklist vulnerability in the chfn function in libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, allows local users to cause a denial of service (/etc/passwd corruption) via a newline character in the GECOS field.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libuser | < libuser 1:0.62~dfsg-0.1 (bookworm) | libuser 1:0.62~dfsg-0.1 (bookworm) |
| libuser | libuser | >= 0 < 1:0.62~dfsg-0.1 | 1:0.62~dfsg-0.1 |
| libuser | libuser | >= 0 < 1:0.62~dfsg-0.1 | 1:0.62~dfsg-0.1 |
| libuser | libuser | >= 0 < 1:0.62~dfsg-0.1 | 1:0.62~dfsg-0.1 |
| libuser | libuser | >= 0 < 1:0.62~dfsg-0.1 | 1:0.62~dfsg-0.1 |
| redhat | libuser | <= 0.56.13-5 | — |
| redhat | libuser | — | — |
| redhat | libuser | — | — |
| redhat | libuser | — | — |
| redhat | libuser | — | — |
| redhat | libuser | — | — |
| redhat | libuser | — | — |
CVSS provenance
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:N/I:N/A:P
osv2.1LOW
vendor_debian2.1LOW
vendor_redhat2.1LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f52h-j689-x786: libuser before 0
ghsa_unreviewed·2022-05-14·CVSS 2.1
CVE-2015-3246 [LOW] GHSA-f52h-j689-x786: libuser before 0
libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, directly modifies /etc/passwd, which allows local users to cause a denial of service (inconsistent file state) by causing an error during the modification. NOTE: this issue can be combined with CVE-2015-3245 to gain privileges.
GHSA
GHSA-q4h8-6f3r-mvww: Incomplete blacklist vulnerability in the chfn function in libuser before 0
ghsa_unreviewed·2022-05-14
CVE-2015-3245 [LOW] CWE-20 GHSA-q4h8-6f3r-mvww: Incomplete blacklist vulnerability in the chfn function in libuser before 0
Incomplete blacklist vulnerability in the chfn function in libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, allows local users to cause a denial of service (/etc/passwd corruption) via a newline character in the GECOS field.
OSV
CVE-2015-3246: libuser before 0
osv·2015-08-11·CVSS 2.1
CVE-2015-3246 [LOW] CVE-2015-3246: libuser before 0
libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, directly modifies /etc/passwd, which allows local users to cause a denial of service (inconsistent file state) by causing an error during the modification. NOTE: this issue can be combined with CVE-2015-3245 to gain privileges.
OSV
CVE-2015-3245: Incomplete blacklist vulnerability in the chfn function in libuser before 0
osv·2015-08-11·CVSS 2.1
CVE-2015-3245 [LOW] CVE-2015-3245: Incomplete blacklist vulnerability in the chfn function in libuser before 0
Incomplete blacklist vulnerability in the chfn function in libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, allows local users to cause a denial of service (/etc/passwd corruption) via a newline character in the GECOS field.
Red Hat
libuser: Security flaw in handling /etc/passwd file
vendor_redhat·2015-07-23·CVSS 2.1
CVE-2015-3246 [LOW] libuser: Security flaw in handling /etc/passwd file
libuser: Security flaw in handling /etc/passwd file
libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, directly modifies /etc/passwd, which allows local users to cause a denial of service (inconsistent file state) by causing an error during the modification. NOTE: this issue can be combined with CVE-2015-3245 to gain privileges.
A flaw was found in the way the libuser library handled the /etc/passwd file. A local attacker could use an application compiled against libuser (for example, userhelper) to manipulate the /etc/passwd file, which could result in a denial of service or possibly allow the attacker to escalate their privileges to root.
Statement: This issue affects the versions of libuser as shipped with Red Hat Enterprise Li
Red Hat
libuser: does not filter newline characters in the GECOS field
vendor_redhat·2015-07-23·CVSS 2.1
CVE-2015-3245 [LOW] CWE-138 libuser: does not filter newline characters in the GECOS field
libuser: does not filter newline characters in the GECOS field
Incomplete blacklist vulnerability in the chfn function in libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, allows local users to cause a denial of service (/etc/passwd corruption) via a newline character in the GECOS field.
It was found that libuser, as used by the chfn userhelper functionality, did not properly filter out newline characters in GECOS fields. A local, authenticated user could use this flaw to corrupt the /etc/passwd file, resulting in a denial-of-service on the system.
Statement: Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This vulnerability has been rated as having Moderate security impact and i
Debian
CVE-2015-3246: libuser - libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper progr...
vendor_debian·2015·CVSS 2.1
CVE-2015-3246 [LOW] CVE-2015-3246: libuser - libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper progr...
libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, directly modifies /etc/passwd, which allows local users to cause a denial of service (inconsistent file state) by causing an error during the modification. NOTE: this issue can be combined with CVE-2015-3245 to gain privileges.
Scope: local
bookworm: resolved (fixed in 1:0.62~dfsg-0.1)
bullseye: resolved (fixed in 1:0.62~dfsg-0.1)
forky: resolved (fixed in 1:0.62~dfsg-0.1)
sid: resolved (fixed in 1:0.62~dfsg-0.1)
trixie: resolved (fixed in 1:0.62~dfsg-0.1)
Debian
CVE-2015-3245: libuser - Incomplete blacklist vulnerability in the chfn function in libuser before 0.56.1...
vendor_debian·2015·CVSS 2.1
CVE-2015-3245 [LOW] CVE-2015-3245: libuser - Incomplete blacklist vulnerability in the chfn function in libuser before 0.56.1...
Incomplete blacklist vulnerability in the chfn function in libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, allows local users to cause a denial of service (/etc/passwd corruption) via a newline character in the GECOS field.
Scope: local
bookworm: resolved (fixed in 1:0.62~dfsg-0.1)
bullseye: resolved (fixed in 1:0.62~dfsg-0.1)
forky: resolved (fixed in 1:0.62~dfsg-0.1)
sid: resolved (fixed in 1:0.62~dfsg-0.1)
trixie: resolved (fixed in 1:0.62~dfsg-0.1)
No detection rules found.
Exploit-DB
Libuser - 'roothelper' Local Privilege Escalation (Metasploit)
exploitdb·2018-05-16
CVE-2015-3246 Libuser - 'roothelper' Local Privilege Escalation (Metasploit)
Libuser - 'roothelper' Local Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Libuser roothelper Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges on Red Hat based Linux
systems, including RHEL, Fedora and CentOS, by exploiting a newline
injection vulnerability in libuser and userhelper versions prior to
0.56.13-8 and version 0.60 before 0.60-7.
This module makes use of the roothelper.c exploit from Qualys to
insert a new user with UID=0 in /etc/passwd.
Note, the password for the current user is required by userhelper.
Note, on some systems, such as Fedora 11, the user entry for the
current user i
Exploit-DB
Libuser Library - Multiple Vulnerabilities
exploitdb·2015-07-27·CVSS 2.1
CVE-2015-3246 [LOW] Libuser Library - Multiple Vulnerabilities
Libuser Library - Multiple Vulnerabilities
---
Qualys Security Advisory
CVE-2015-3245 userhelper chfn() newline filtering
CVE-2015-3246 libuser passwd file handling
--[ Summary ]-----------------------------------------------------------------
The libuser library implements a standardized interface for manipulating
and administering user and group accounts, and is installed by default
on Linux distributions derived from Red Hat's codebase. During an
internal code audit at Qualys, we discovered multiple libuser-related
vulnerabilities that allow local users to perform denial-of-service and
privilege-escalation attacks. As a proof of concept, we developed an
unusual local root exploit against one of libuser's applications.
----[ Vulnerability #1 (CVE-2015-3245 userhelper chfn() newl
Metasploit
Libuser roothelper Privilege Escalation
metasploit
Libuser roothelper Privilege Escalation
Libuser roothelper Privilege Escalation
This module attempts to gain root privileges on Red Hat based Linux systems, including RHEL, Fedora and CentOS, by exploiting a newline injection vulnerability in libuser and userhelper versions prior to 0.56.13-8 and version 0.60 before 0.60-7. This module makes use of the roothelper.c exploit from Qualys to insert a new user with UID=0 in /etc/passwd. Note, the password for the current user is required by userhelper. Note, on some systems, such as Fedora 11, the user entry for the current user in /etc/passwd will become corrupted and exploitation will fail. This module has been tested successfully on libuser packaged versions 0.56.13-4.el6 on CentOS 6.0 (x86_64); 0.56.13-5.el6 on CentOS 6.5 (x86_64); 0.60-5.el7 on CentOS 7.1-1503 (x86_64); 0.56.16
Bugzilla
CVE-2015-3245 CVE-2015-3246 libuser: various flaws [fedora-all]
bugzilla·2015-07-23·CVSS 2.1
CVE-2015-3245 [LOW] CVE-2015-3245 CVE-2015-3246 libuser: various flaws [fedora-all]
CVE-2015-3245 CVE-2015-3246 libuser: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While
Bugzilla
CVE-2015-3246 libuser: Security flaw in handling /etc/passwd file
bugzilla·2015-06-18·CVSS 2.1
CVE-2015-3246 [LOW] CVE-2015-3246 libuser: Security flaw in handling /etc/passwd file
CVE-2015-3246 libuser: Security flaw in handling /etc/passwd file
A flaw was found in the way libuser handled /etc/passwd file. Even though traditional programs like passwd, chfn, and chsh work on a temporary copy of /etc/passwd and eventually rename() it, libuser modifies /etc/passwd directly. Unfortunately, if anything goes wrong during these modifications, libuser may leave /etc/passwd in an inconsistent state.
This can cause a local denial-of-service. Also when combined with CVE-2015-3245, it could result in privilege escalation to root user.
Acknowledgements:
Red Hat would like to thank Qualys for reporting this issue.
Discussion:
External References:
https://access.redhat.com/articles/1537873
---
This issue has been addressed in the following products:
Red Hat Enterprise L
Bugzilla
CVE-2015-3245 libuser: does not filter newline characters in the GECOS field
bugzilla·2015-06-18·CVSS 2.1
CVE-2015-3245 [LOW] CVE-2015-3245 libuser: does not filter newline characters in the GECOS field
CVE-2015-3245 libuser: does not filter newline characters in the GECOS field
It was found that libuser, as used in the chfn userhelper functionality, does not properly filter out newline characters, which allows an authenticated local attacker to corrupt the /etc/passwd file and cause denial-of-service against the system.
Acknowledgements:
Red Hat would like to thank Qualys for reporting this issue.
Discussion:
This vulnerability is addressed by additional checks on GECOS field contents within the libuser library, and not in the userhelper program in the usermode package. This change will also protect other applications which use libuser.
---
Mitigation:
Add pam_warn and pam_deny rules to /etc/pam.d/chfn and /etc/pam.d/chsh to prevent non-root users from using this functionality. W
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163044.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-July/162947.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1482.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1483.htmlhttp://www.securityfocus.com/bid/76021http://www.securitytracker.com/id/1033040https://access.redhat.com/articles/1537873https://www.exploit-db.com/exploits/44633/https://www.qualys.com/2015/07/23/cve-2015-3245-cve-2015-3246/cve-2015-3245-cve-2015-3246.txthttp://lists.fedoraproject.org/pipermail/package-announce/2015-August/163044.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-July/162947.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1482.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1483.htmlhttp://www.securityfocus.com/bid/76021http://www.securitytracker.com/id/1033040https://access.redhat.com/articles/1537873https://www.exploit-db.com/exploits/44633/https://www.qualys.com/2015/07/23/cve-2015-3245-cve-2015-3246/cve-2015-3245-cve-2015-3246.txt
2015-08-11
Published