![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE>
To: bugtraq@securityfocus.com
Subject: RUS-CERT Advisory 2001-09:01
Date: 10 Sep 2001 16:53:52 +0200
Vulnerabilities in PAM and NSS modules using a PostgreSQL database
During investigating the problem described in RUS-CERT Advisory
2001-08:01, it became evident that a few PAM and NSS modules which use
PostgreSQL as database backend are vulnerable to SQL code injections
attacks, too.
Systems Affected
All systems using at least one of the following PAM and NSS modules:
* libnss-pgsql 0.9.0 by Joerg Wendland
* nss_postgresql 0.6.1 by Alessandro Gardich
* pam-pgsql 0.9.2 by Joerg Wendland
* pam_pgsql 0.0.3 by Alessandro Gardich
* pam-pgsql 0.5.1 by Leon J Breedt
Attack vector
For the PAM authentication modules, the ability to attempt a
password-based login on the system is required to exploit the
vulnerability. The exact login method (HTTP Authentication, SSH,
Telnet) does not matter, as long as PAM is used. For the NSS database
modules, an interactive account is usually required to exploit this
vulnerability.
Impact
The attack can execute arbitrary SQL statements under the database
user used for querying the PostgreSQL database. Responses from the
database backend can be faked. Exploiting the vulnerability in a PAM
module, an attacker might gain unauthorized access. The possibilities
of an attacker facing a vulnerable NSS module depend heavily on the
system configuration and the offered services.
Vulnerability Type
SQL code insertion attack
Description
The problem as already been described in RUS-CERT Advisory 2001-08:01:
An attacker might use specially crafted strings which contain embedded
SQL statements to fake responses from the database backend. If the
attacker can attempt logins using a suitable PAM-based login procedure
(which permits spaces and single quotation marks in user names),
involving one of the vulnerable PAM modules, or can query one of the
NSS based handled by a vulnerable NSS module, he is able to execute
arbitrary SQL statements on the database server, under the database
user used for the query. In addition, data returned by queries can be
manipulated. This can lead to unauthorized access to the system.
Proposed Solution
We believe that the fact that the essentially the same vulnerability
is present in many PostgreSQL applications (see also RUS-CERT Advisory
2001-08:01) is related to the lack of a suitable string quoting
function in the PostgreSQL client library (and not just to code reuse
and overlap among the authors).
Therefore, we propose that a function which escapes characters treated
specially by the PostgreSQL by replacing them with safe character
sequences is included in the PostgreSQL client library. We provide a
mostly untested sample implementation:
* Escaping Strings in PostgreSQL Queries
(http://cert.uni-stuttgart.de/doc/postgresql/escape/)
Available Fixes
Joerg Wendland has published fixed versions of his modules.
* http://sourceforge.net/project/showfiles.php?group_id=24083
Contact Status
RUS-CERT contacted the authors of the vulnerable authentication
modules on 2001-08-25.
About RUS-CERT
RUS-CERT (http://cert.uni-stuttgart.de/) is the Computer Emergency
Response Team located at the Computing Center (RUS) of the
University of Stuttgart, Germany.
URI for this advisory
http://cert.uni-stuttgart.de/advisories/postgresql_pam_nss.php
--
Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898