Multiple Linux Vendor pam_console Remote User Vulnerability

BID:1513

Info

Multiple Linux Vendor pam_console Remote User Vulnerability

Bugtraq ID: 1513
Class: Access Validation Error
CVE:
Remote: Yes
Local: No
Published: Jul 27 2000 12:00AM
Updated: Jul 27 2000 12:00AM
Credit: This vulnerability was first reported in a Redhat security advisory on July 21, 2000.
Vulnerable: Redhat Linux 6.2 sparc
Redhat Linux 6.2 i386
Redhat Linux 6.2 alpha
Redhat Linux 6.1 sparc
Redhat Linux 6.1 i386
Redhat Linux 6.1 alpha
Redhat Linux 6.0 sparc
Redhat Linux 6.0 alpha
Redhat Linux 6.0
Michael K. Johnson pam_console 0.72 unpatched
Michael K. Johnson pam_console 0.66
Not Vulnerable: SuSE Linux 7.0
Michael K. Johnson pam_console 0.72 patched

Discussion

Multiple Linux Vendor pam_console Remote User Vulnerability

There is a vulnerability in the Linux pam_console module that could allow an attacker to remotely reboot the workstation or perform other actions limited to local users.
If a workstation is configured to use a display manager (xdm, gdm, kdm, etc.) AND has XDMCP enabled, it is possible for a user who logs in remotely to use Xnest -query to log in on display :1, which is recognized as the system console. This vulnerability is only present if the workstation is running a graphical login manager such as gdm or kdm.

Exploit / POC

Multiple Linux Vendor pam_console Remote User Vulnerability

This description of how to replicate the problem was posted to RedHat's Bugzilla bug-tracking system by [email protected]:
1. ssh into the server, allowing ssh to establish a secure forwarded X connection. If no one else is using display number 0, you'll end up with a DISPLAY value of "host:0.0".
2. Invoke "Xnest -query localhost" on the remote machine.
3. Log in, starting a Gnome session.
4. From the Gnome panel, select "logout". You'll be presented with the option of shutting down or rebooting the server.

Another description, this one from Andreas Hasenack <[email protected]>:
1. login remotely (X -broadcast) (have gdm, kdm, whatever running with XDMCP enabled somewhere)
2. after login, start Xnest with -broadcast again, for example
3. login again, now you will be using display :1
4. this is treated as a console user, and commands only available to console users can be run, such as reboot.

Solution / Fix

Multiple Linux Vendor pam_console Remote User Vulnerability


Redhat Linux 6.0 alpha

Redhat Linux 6.0 sparc

Redhat Linux 6.0

Redhat Linux 6.1 i386

Redhat Linux 6.1 sparc

Redhat Linux 6.1 alpha

Redhat Linux 6.2 sparc

Redhat Linux 6.2 alpha

Redhat Linux 6.2 i386

References

Multiple Linux Vendor pam_console Remote User Vulnerability

References:
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report