main | consulting | archives | about us | contact

Secure Reality Pty Ltd. Security Advisory #4 (SRADV00004)

Remote and local vulnerabilities in pam_mysql


You can view a plain text version of this advisory here

Released
26/10/2000

Vulnerable
All versions of pam_mysql < 0.4.7

Overview
pam_mysql is a pluggable authentication module to allow user authentication against mysql databases. The module constructs SQL statements using user input (username and password) without escaping it. This leads to trivial attacks that can result in the exposure of plaintext passwords/hashes to remote unauthorized login.

Impact
- Versions < 0.4 = Possible local exposure of plaintext passwords/hashes
- Versions => 0.4 = Remote unauthorized login

Detail
pam_mysql constructs SQL statements using snprintf with %s parameters containing unescaped user parameters.

Versions < 0.4 used constructed statements like the following:

select password from users where user = '%s' The selected password was then checked against the inputted one (once any required encryption had been applied to the inputted password). Unlike other SQL servers in MySQL there is no method by which to break into an entirely new SQL statement so any attack must be based on manipulating the portion of the string we can control. In this case input like:
root' into file '/tmp/r00tpassword will result in the root password (cleartext or hash) being copied to the temporary directory. This is dependant on the MySQL user used by pam_mysql having permissions to write server files, a relatively reliable proposition for this sort of security software.

Versions => 0.4 developed an alternative statement like the following
select user from users where user = '%s' and password = '%s' The module then checks that one row is returned by this query. If we can guess a username we can gain remote access to the server as any remotely logable user (dependant on pam_securetty.so and pam_nologin.so) with a password string like the following (assuming 'bill' is a known valid username):
' or user = 'bill Fix
Please upgrade to version 0.4.7 at http://download.sourceforge.net/pam-mysql/pam_mysql-0.4.7.tar.gz

Acknowledgements
Our thanks to Steve Brown (Senior System Admin at DearDiary.net and maintainer of pam_mysql) for his prompt and cooperative assistance in this matter.

Disclaimer
Advice, directions and instructions on security vulnerabilities in this advisory do not constitute: an endorsement of illegal behaviour; a guarantee that protection measures will work; an endorsement of any product or solution or recommendations on behalf of Secure Reality Pty Ltd. Content is provided as is and Secure Reality does not accept responsibity for any damange or injury caused as a result of its use.