[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Remote and local vulnerabilities in pam_mysql

Title: Remote and local vulnerabilities in pam_mysql
Released by: Secure Reality
Date: 26th October 2000
Printable version: Click here
=================================================

Secure Reality Pty Ltd. Security Advisory #4 (SRADV00004)

http://www.securereality.com.au

=================================================



[Title]

Remote and local vulnerabilities in pam_mysql



[Released]

26/10/2000



[Vulnerable]

All versions of pam_mysql < 0.4.7



[Overview]

pam_mysql is a pluggable authentication module to allow user authentication

against mysql databases. The module constructs SQL statements using user

input (username and password) without escaping it. This leads to trivial

attacks that can result in the exposure of plaintext passwords/hashes to

remote unauthorized login.



[Impact]

- Versions < 0.4  = Possible local exposure of plaintext passwords/hashes

- Versions => 0.4 = Remote unauthorized login



[Detail]

pam_mysql constructs SQL statements using snprintf with %s parameters

containing unescaped user parameters.



Versions < 0.4 used constructed statements like the following:

    select password from users where user = ''

The selected password was then checked against the inputted one (once any

required encryption had been applied to the inputted password). Unlike other

SQL servers in MySQL there is no method by which to break into an entirely

new SQL statement so any attack must be based on manipulating the portion of

the string we can control. In this case input like:

    root' into file '/tmp/r00tpassword

will result in the root password (cleartext or hash) being copied to the

temporary directory. This is dependant on the MySQL user used by pam_mysql

having permissions to write server files, a relatively reliable proposition

for this sort of security software.



Versions => 0.4 developed an alternative statement like the following

    select user from users where user = '' and password = ''

The module then checks that one row is returned by this query. If we can

guess a username we can gain remote access to the server as any remotely

logable user (dependant on pam_securetty.so and pam_nologin.so) with a

password string like the following (assuming 'bill' is a known valid

username):

    ' or user = 'bill



[Fix]

Please upgrade to version 0.4.7 at

http://download.sourceforge.net/pam-mysql/pam_mysql-0.4.7.tar.gz



[Acknowledgements]

Our thanks to Steve Brown (Senior System Admin at DearDiary.net and

maintainer of pam_mysql) for his prompt and cooperative assistance in this

matter.



[Disclaimer]

Advice, directions and instructions on security vulnerabilities in this

advisory do not constitute: an endorsement of illegal behavior; a guarantee

that protection measures will work; an endorsement of any product or

solution or recommendations on behalf of Secure Reality Pty Ltd. Content is

provided as is and Secure Reality does not accept responsibilty for any

damage or injury caused as a result of its use.








(C) 1999-2000 All rights reserved.