CVE-2015-3246
published 2015-08-11CVE-2015-3246: libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, directly modifies /etc/passwd, which allows local…
PriorityP339high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
6.85%
93.2th percentile
libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, directly modifies /etc/passwd, which allows local users to cause a denial of service (inconsistent file state) by causing an error during the modification. NOTE: this issue can be combined with CVE-2015-3245 to gain privileges.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libuser | < libuser 1:0.62~dfsg-0.1 (bookworm) | libuser 1:0.62~dfsg-0.1 (bookworm) |
| libuser | libuser | >= 0 < 1:0.62~dfsg-0.1 | 1:0.62~dfsg-0.1 |
| libuser | libuser | >= 0 < 1:0.62~dfsg-0.1 | 1:0.62~dfsg-0.1 |
| libuser | libuser | >= 0 < 1:0.62~dfsg-0.1 | 1:0.62~dfsg-0.1 |
| libuser | libuser | >= 0 < 1:0.62~dfsg-0.1 | 1:0.62~dfsg-0.1 |
| redhat | libuser | <= 0.56.13-5 | — |
| redhat | libuser | — | — |
| redhat | libuser | — | — |
| redhat | libuser | — | — |
| redhat | libuser | — | — |
| redhat | libuser | — | — |
| redhat | libuser | — | — |
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv2.1LOW
vendor_debian2.1LOW
vendor_redhat2.1LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f52h-j689-x786: libuser before 0
ghsa_unreviewed·2022-05-14·CVSS 2.1
CVE-2015-3246 [LOW] GHSA-f52h-j689-x786: libuser before 0
libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, directly modifies /etc/passwd, which allows local users to cause a denial of service (inconsistent file state) by causing an error during the modification. NOTE: this issue can be combined with CVE-2015-3245 to gain privileges.
OSV
CVE-2015-3246: libuser before 0
osv·2015-08-11·CVSS 2.1
CVE-2015-3246 [LOW] CVE-2015-3246: libuser before 0
libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, directly modifies /etc/passwd, which allows local users to cause a denial of service (inconsistent file state) by causing an error during the modification. NOTE: this issue can be combined with CVE-2015-3245 to gain privileges.
Red Hat
libuser: Security flaw in handling /etc/passwd file
vendor_redhat·2015-07-23·CVSS 2.1
CVE-2015-3246 [LOW] libuser: Security flaw in handling /etc/passwd file
libuser: Security flaw in handling /etc/passwd file
libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, directly modifies /etc/passwd, which allows local users to cause a denial of service (inconsistent file state) by causing an error during the modification. NOTE: this issue can be combined with CVE-2015-3245 to gain privileges.
A flaw was found in the way the libuser library handled the /etc/passwd file. A local attacker could use an application compiled against libuser (for example, userhelper) to manipulate the /etc/passwd file, which could result in a denial of service or possibly allow the attacker to escalate their privileges to root.
Statement: This issue affects the versions of libuser as shipped with Red Hat Enterprise Li
Debian
CVE-2015-3246: libuser - libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper progr...
vendor_debian·2015·CVSS 2.1
CVE-2015-3246 [LOW] CVE-2015-3246: libuser - libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper progr...
libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, directly modifies /etc/passwd, which allows local users to cause a denial of service (inconsistent file state) by causing an error during the modification. NOTE: this issue can be combined with CVE-2015-3245 to gain privileges.
Scope: local
bookworm: resolved (fixed in 1:0.62~dfsg-0.1)
bullseye: resolved (fixed in 1:0.62~dfsg-0.1)
forky: resolved (fixed in 1:0.62~dfsg-0.1)
sid: resolved (fixed in 1:0.62~dfsg-0.1)
trixie: resolved (fixed in 1:0.62~dfsg-0.1)
No detection rules found.
Exploit-DB
Libuser - 'roothelper' Local Privilege Escalation (Metasploit)
exploitdb·2018-05-16
CVE-2015-3246 Libuser - 'roothelper' Local Privilege Escalation (Metasploit)
Libuser - 'roothelper' Local Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Libuser roothelper Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges on Red Hat based Linux
systems, including RHEL, Fedora and CentOS, by exploiting a newline
injection vulnerability in libuser and userhelper versions prior to
0.56.13-8 and version 0.60 before 0.60-7.
This module makes use of the roothelper.c exploit from Qualys to
insert a new user with UID=0 in /etc/passwd.
Note, the password for the current user is required by userhelper.
Note, on some systems, such as Fedora 11, the user entry for the
current user i
Exploit-DB
Libuser Library - Multiple Vulnerabilities
exploitdb·2015-07-27·CVSS 2.1
CVE-2015-3246 [LOW] Libuser Library - Multiple Vulnerabilities
Libuser Library - Multiple Vulnerabilities
---
Qualys Security Advisory
CVE-2015-3245 userhelper chfn() newline filtering
CVE-2015-3246 libuser passwd file handling
--[ Summary ]-----------------------------------------------------------------
The libuser library implements a standardized interface for manipulating
and administering user and group accounts, and is installed by default
on Linux distributions derived from Red Hat's codebase. During an
internal code audit at Qualys, we discovered multiple libuser-related
vulnerabilities that allow local users to perform denial-of-service and
privilege-escalation attacks. As a proof of concept, we developed an
unusual local root exploit against one of libuser's applications.
----[ Vulnerability #1 (CVE-2015-3245 userhelper chfn() newl
Metasploit
Libuser roothelper Privilege Escalation
metasploit
Libuser roothelper Privilege Escalation
Libuser roothelper Privilege Escalation
This module attempts to gain root privileges on Red Hat based Linux systems, including RHEL, Fedora and CentOS, by exploiting a newline injection vulnerability in libuser and userhelper versions prior to 0.56.13-8 and version 0.60 before 0.60-7. This module makes use of the roothelper.c exploit from Qualys to insert a new user with UID=0 in /etc/passwd. Note, the password for the current user is required by userhelper. Note, on some systems, such as Fedora 11, the user entry for the current user in /etc/passwd will become corrupted and exploitation will fail. This module has been tested successfully on libuser packaged versions 0.56.13-4.el6 on CentOS 6.0 (x86_64); 0.56.13-5.el6 on CentOS 6.5 (x86_64); 0.60-5.el7 on CentOS 7.1-1503 (x86_64); 0.56.16
Bugzilla
CVE-2015-3245 CVE-2015-3246 libuser: various flaws [fedora-all]
bugzilla·2015-07-23·CVSS 2.1
CVE-2015-3245 [LOW] CVE-2015-3245 CVE-2015-3246 libuser: various flaws [fedora-all]
CVE-2015-3245 CVE-2015-3246 libuser: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While
Bugzilla
CVE-2015-3246 libuser: Security flaw in handling /etc/passwd file
bugzilla·2015-06-18·CVSS 2.1
CVE-2015-3246 [LOW] CVE-2015-3246 libuser: Security flaw in handling /etc/passwd file
CVE-2015-3246 libuser: Security flaw in handling /etc/passwd file
A flaw was found in the way libuser handled /etc/passwd file. Even though traditional programs like passwd, chfn, and chsh work on a temporary copy of /etc/passwd and eventually rename() it, libuser modifies /etc/passwd directly. Unfortunately, if anything goes wrong during these modifications, libuser may leave /etc/passwd in an inconsistent state.
This can cause a local denial-of-service. Also when combined with CVE-2015-3245, it could result in privilege escalation to root user.
Acknowledgements:
Red Hat would like to thank Qualys for reporting this issue.
Discussion:
External References:
https://access.redhat.com/articles/1537873
---
This issue has been addressed in the following products:
Red Hat Enterprise L
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163044.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-July/162947.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-08/msg00000.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1482.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1483.htmlhttp://www.securityfocus.com/bid/76022http://www.securitytracker.com/id/1033040https://access.redhat.com/articles/1537873https://www.exploit-db.com/exploits/44633/https://www.qualys.com/2015/07/23/cve-2015-3245-cve-2015-3246/cve-2015-3245-cve-2015-3246.txthttp://lists.fedoraproject.org/pipermail/package-announce/2015-August/163044.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-July/162947.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-08/msg00000.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1482.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1483.htmlhttp://www.securityfocus.com/bid/76022http://www.securitytracker.com/id/1033040https://access.redhat.com/articles/1537873https://www.exploit-db.com/exploits/44633/https://www.qualys.com/2015/07/23/cve-2015-3245-cve-2015-3246/cve-2015-3245-cve-2015-3246.txt
2015-08-11
Published