Mark D. Roth PAM_Per_User认证绕过漏洞

Mark D. Roth PAM_Per_User认证绕过漏洞

漏洞ID 1197847 漏洞类型 设计错误
发布时间 2005-09-16 更新时间 2005-10-20
图片[1]-Mark D. Roth PAM_Per_User认证绕过漏洞-安全小百科CVE编号 CVE-2005-2949
图片[2]-Mark D. Roth PAM_Per_User认证绕过漏洞-安全小百科CNNVD-ID CNNVD-200509-153
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2005090002
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200509-153
|漏洞详情
pam_per_user模块允许基于每个用户调用不同的认证机制。pam_per_user模块在处理用户名缓存的机制上存在漏洞,远程攻击者可能利用此漏洞绕过认证。pam_per_user模块在工作时会使用外部映射文件,将任意用户映射到认证该用户的备选PAM服务名称上。然后模块会使用该服务名称创建新的PAM”subrequest”处理,并使用该PAM处理认证用户。pam_per_user在调用之间会缓存PAM”subrequest”处理。通常情况下调用之间用户名并不改变,因此这种方式可以很好地工作。但是,一些应用程序(如/bin/login)在得到错误口令时会给用户一个新的登录提示,这可能导致用户名改变。pam_per_user没能正确的处理这种情况,没有检查用户名是否改变,因此用户可以使用不同的用户凭据认证。成功利用这个漏洞的攻击者可以绕过认证,管理访问计算机。
|漏洞EXP
Summary/Impact:
---------------

There is a security flaw in the pam_per_user PAM module that can allow
someone to authenticate as any user on the system, provided that they
already have the proper credentials for one account.

This security hole is fixed in pam_per_user-0.4, which is available
from:

http://www.feep.net/PAM/pam_per_user/

Details:
--------

The pam_per_user module allows different authentication mechanisms to
be used on a per-user basis.  An external map file is used to map any
given user to an alternate PAM service name that should be used to
authenticate that user.  The module then creates a new PAM
"subrequest" handle using that service name, and uses that PAM handle
to authenticate the user.  This recursive use of PAM is transparent to
the calling application.

The PAM "subrequest" handle is cached by pam_per_user between calls.
In the typical case, the user name does not change between calls, so
this works fine.  However, some applications (most notably /bin/login)
give the user a new login prompt each time they get the password
wrong, which can cause the user name to change.

Unfortunately, pam_per_user was not handling this case correctly.  It
did not check to see if the user name had changed, which could result
in a user being allowed to authenticate using a different user's
credentials (see example below).

The module has been fixed to check whether the user name has changed
since the last call, and to recreate the "subrequest" handle if
needed.

Example:
--------

Assume the following two accounts exist:

foo (password foo)
  bar

The login session might look like this:

login: foo
  Password: bad_password
  login: bar
  Password: foo  <-- NOTE: this is the correct password for user foo!

That would result in a successful authentication, because pam_per_user
is still using a subrequest handle for user foo, even though it is
trying to authenticate user bar.  This means that anyone that knows
the password for user "foo" can login as user "bar" - or any other
user.

Notes:
------

At this time, the only application known to trigger this security hole
is /bin/login.  However, any application that resets the PAM_USER item
after the first call to pam_authenticate(3) (or any of the other PAM
calls) will trigger the same hole.

Acknowledgment:
---------------

Many thanks to Vijay Tandeker <vijayt (at) india.tejasnetworks (dot) com [email concealed]> for
reporting this security hole.

-- 
Mark D. Roth <roth (at) feep (dot) net [email concealed]>
http://www.feep.net/~roth/
|参考资料

来源:BID
名称:14813
链接:http://www.securityfocus.com/bid/14813
来源:SECUNIA
名称:16781
链接:http://secunia.com/advisories/16781/
来源:SREASON
名称:2
链接:http://securityreason.com/securityalert/2
来源:BUGTRAQ
名称:20050912SecurityFlawinpam_per_userModule
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=112654636915661&w;=2

相关推荐: POC32 Unauthorized Telnet Access Vulnerability

POC32 Unauthorized Telnet Access Vulnerability 漏洞ID 1104327 漏洞类型 Design Error 发布时间 2000-03-07 更新时间 2000-03-07 CVE编号 N/A CNNVD-ID N…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享