Joined: 12 May 2004
|Posted: Wed Oct 24, 2007 10:26 pm Post subject: [ GLSA 200710-25 ] MLDonkey: Privilege escalation
|Gentoo Linux Security Advisory
Title: MLDonkey: Privilege escalation (GLSA 200710-25)
Date: October 24, 2007
Updated: November 07, 2007
The Gentoo MLDonkey ebuild adds a user to the system with a valid login shell and no password.
MLDonkey is a peer-to-peer filesharing client that connects to several different peer-to-peer networks, including Overnet and BitTorrent.
Vulnerable: < 2.9.0-r3
Unaffected: >= 2.9.0-r3
Architectures: All supported architectures
The Gentoo MLDonkey ebuild adds a user to the system named "p2p" so that the MLDonkey service can run under a user with low privileges. With older Portage versions this user is created with a valid login shell and no password.
A remote attacker could log into a vulnerable system as the p2p user. This would require an installed login service that permitted empty passwords, such as SSH configured with the "PermitEmptyPasswords yes" option, a local login console, or a telnet server.
Change the p2p user's shell to disallow login. For example, as root run the following command:
NOTE: updating to the current MLDonkey ebuild will not remove this vulnerability, it must be fixed manually. The updated ebuild is to prevent this problem from occurring in the future.
|# usermod -s /bin/false p2p |
Last edited by GLSA on Thu Nov 08, 2007 4:18 am; edited 1 time in total