pam_mysql Authentication Input Validation Vulnerability
BID:1850
Info
pam_mysql Authentication Input Validation Vulnerability
| Bugtraq ID: | 1850 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Oct 26 2000 12:00AM |
| Updated: | Oct 26 2000 12:00AM |
| Credit: | First published in Secure Realities Advisory SRADV00004 on Oct 26, 2000. |
| Vulnerable: |
pam_mysql pam_mysql 0.4 pam_mysql pam_mysql 0.3 pam_mysql pam_mysql 0.2 pam_mysql pam_mysql 0.1 |
| Not Vulnerable: |
pam_mysql pam_mysql 0.4.7 |
Discussion
pam_mysql Authentication Input Validation Vulnerability
pam_mysql is a PAM (pluggable authentication module) module that allows system administrators to setup authentication schemes using MySQL databases as a back-end. Because user input is not checked for SQL query metacharacters, pam_mysql has two vulnerabilities that can lead to local and remote compromise.
In versions of pam_mysql prior to 0.4, it is possible for users who have local access to the filesystem to view the passwords or password hashes stored in the database. When a user authenticates, pam_mysql executes this query to retrieve the user's password (or password hash):
select password from users where user = '<user>'
The value "<user>", the user-supplied login name, is not checked for metacharacters. As a result it is possible to enter a login-name like this:
"root' into file /tmp/owned;".
This will cause MySQL to write the result of the query (the value of root's password in the database) to a file when it is executed. If it is a password hash, the attacker can then attempt to brute-force it. If it is plaintext the attacker can authenticate normally via pam_mysql as the compromised user (eg, root).
There exists a similar vulnerability in pam_mysql version 0.4 that can allow an attacker to completely circumvent the authentication mechanism and perform unauthorized logins.
To determine whether the user attempting to authenticate is doing so successfully the pam_mysql module executes this query:
select user from users where user = '<user>' and password = '<pass>'
The <user> and <pass> values are user-supplied login-name and password values. Unfortunately, like the user value in versions previous to 0.4, they are not checked for metacharacters. So long as the attacker knows a valid username it is possible to exploit this vulnerability and authenticate without a password. If the password value is set to:
"' or user = 'bill",
MySQL will execute the query as:
select user from users where user = '<user>' and password ='' or user ='bill'
This query will return a valid result so long as the username exists in the database. The user will then be authenticated as <user>.
pam_mysql is a PAM (pluggable authentication module) module that allows system administrators to setup authentication schemes using MySQL databases as a back-end. Because user input is not checked for SQL query metacharacters, pam_mysql has two vulnerabilities that can lead to local and remote compromise.
In versions of pam_mysql prior to 0.4, it is possible for users who have local access to the filesystem to view the passwords or password hashes stored in the database. When a user authenticates, pam_mysql executes this query to retrieve the user's password (or password hash):
select password from users where user = '<user>'
The value "<user>", the user-supplied login name, is not checked for metacharacters. As a result it is possible to enter a login-name like this:
"root' into file /tmp/owned;".
This will cause MySQL to write the result of the query (the value of root's password in the database) to a file when it is executed. If it is a password hash, the attacker can then attempt to brute-force it. If it is plaintext the attacker can authenticate normally via pam_mysql as the compromised user (eg, root).
There exists a similar vulnerability in pam_mysql version 0.4 that can allow an attacker to completely circumvent the authentication mechanism and perform unauthorized logins.
To determine whether the user attempting to authenticate is doing so successfully the pam_mysql module executes this query:
select user from users where user = '<user>' and password = '<pass>'
The <user> and <pass> values are user-supplied login-name and password values. Unfortunately, like the user value in versions previous to 0.4, they are not checked for metacharacters. So long as the attacker knows a valid username it is possible to exploit this vulnerability and authenticate without a password. If the password value is set to:
"' or user = 'bill",
MySQL will execute the query as:
select user from users where user = '<user>' and password ='' or user ='bill'
This query will return a valid result so long as the username exists in the database. The user will then be authenticated as <user>.
Exploit / POC
pam_mysql Authentication Input Validation Vulnerability
See discussion.
See discussion.
Solution / Fix
pam_mysql Authentication Input Validation Vulnerability
Solution:
Users of pam_mysql should upgrade to version 0.4.7.
pam_mysql pam_mysql 0.4
Solution:
Users of pam_mysql should upgrade to version 0.4.7.
pam_mysql pam_mysql 0.4
-
pam_mysql Project pam_mysql-0.4.7
http://download.sourceforge.net/pam-mysql/pam_mysql-0.4.7.tar.gz
References
pam_mysql Authentication Input Validation Vulnerability
References:
References:
- pam_mysql Homepage (pam_mysql Project)