In OpenBSD 6.6, local users can use the su -L option to achieve any login class (often excluding root) because there is a logic error in the main function in su/su.c.
Weakness
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Openbsd | Openbsd | 6.6 (including) | 6.6 (including) |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/114.html
- https://cwe.mitre.org/data/definitions/115.html
- https://cwe.mitre.org/data/definitions/151.html
- https://cwe.mitre.org/data/definitions/194.html
- https://cwe.mitre.org/data/definitions/22.html
- https://cwe.mitre.org/data/definitions/57.html
- https://cwe.mitre.org/data/definitions/593.html
- https://cwe.mitre.org/data/definitions/633.html
- https://cwe.mitre.org/data/definitions/650.html
- https://cwe.mitre.org/data/definitions/94.html
References
- http://packetstormsecurity.com/files/155572/Qualys-Security-Advisory-OpenBSD-Authentication-Bypass-Privilege-Escalation.html
- http://seclists.org/fulldisclosure/2019/Dec/14
- http://www.openwall.com/lists/oss-security/2019/12/04/5
- https://github.com/openbsd/src/blob/2dfc98f42e117c7605b52b5020b630d98601dc22/usr.bin/su/su.c#L210-L211
- https://seclists.org/bugtraq/2019/Dec/8
- https://www.openbsd.org/errata66.html
- https://www.openwall.com/lists/oss-security/2019/12/04/5
- http://packetstormsecurity.com/files/155572/Qualys-Security-Advisory-OpenBSD-Authentication-Bypass-Privilege-Escalation.html
- http://seclists.org/fulldisclosure/2019/Dec/14
- http://www.openwall.com/lists/oss-security/2019/12/04/5
- https://github.com/openbsd/src/blob/2dfc98f42e117c7605b52b5020b630d98601dc22/usr.bin/su/su.c#L210-L211
- https://seclists.org/bugtraq/2019/Dec/8
- https://www.openbsd.org/errata66.html
- https://www.openwall.com/lists/oss-security/2019/12/04/5