https://cxsecurity.com/issue/WLB-2005090002
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200509-153

pam_per_user模块允许基于每个用户调用不同的认证机制。pam_per_user模块在处理用户名缓存的机制上存在漏洞，远程攻击者可能利用此漏洞绕过认证。pam_per_user模块在工作时会使用外部映射文件，将任意用户映射到认证该用户的备选PAM服务名称上。然后模块会使用该服务名称创建新的PAM”subrequest”处理，并使用该PAM处理认证用户。pam_per_user在调用之间会缓存PAM”subrequest”处理。通常情况下调用之间用户名并不改变，因此这种方式可以很好地工作。但是，一些应用程序(如/bin/login)在得到错误口令时会给用户一个新的登录提示，这可能导致用户名改变。pam_per_user没能正确的处理这种情况，没有检查用户名是否改变，因此用户可以使用不同的用户凭据认证。成功利用这个漏洞的攻击者可以绕过认证，管理访问计算机。

Summary/Impact:
---------------

There is a security flaw in the pam_per_user PAM module that can allow
someone to authenticate as any user on the system, provided that they
already have the proper credentials for one account.

This security hole is fixed in pam_per_user-0.4, which is available
from:

http://www.feep.net/PAM/pam_per_user/

Details:
--------

The pam_per_user module allows different authentication mechanisms to
be used on a per-user basis.  An external map file is used to map any
given user to an alternate PAM service name that should be used to
authenticate that user.  The module then creates a new PAM
"subrequest" handle using that service name, and uses that PAM handle
to authenticate the user.  This recursive use of PAM is transparent to
the calling application.

The PAM "subrequest" handle is cached by pam_per_user between calls.
In the typical case, the user name does not change between calls, so
this works fine.  However, some applications (most notably /bin/login)
give the user a new login prompt each time they get the password
wrong, which can cause the user name to change.

Unfortunately, pam_per_user was not handling this case correctly.  It
did not check to see if the user name had changed, which could result
in a user being allowed to authenticate using a different user's
credentials (see example below).

The module has been fixed to check whether the user name has changed
since the last call, and to recreate the "subrequest" handle if
needed.

Example:
--------

Assume the following two accounts exist:

foo (password foo)
  bar

The login session might look like this:

login: foo
  Password: bad_password
  login: bar
  Password: foo  <-- NOTE: this is the correct password for user foo!

That would result in a successful authentication, because pam_per_user
is still using a subrequest handle for user foo, even though it is
trying to authenticate user bar.  This means that anyone that knows
the password for user "foo" can login as user "bar" - or any other
user.

Notes:
------

At this time, the only application known to trigger this security hole
is /bin/login.  However, any application that resets the PAM_USER item
after the first call to pam_authenticate(3) (or any of the other PAM
calls) will trigger the same hole.

Acknowledgment:
---------------

Many thanks to Vijay Tandeker <vijayt (at) india.tejasnetworks (dot) com [email concealed]> for
reporting this security hole.

-- 
Mark D. Roth <roth (at) feep (dot) net [email concealed]>
http://www.feep.net/~roth/

来源:BID
名称:14813
链接:http://www.securityfocus.com/bid/14813
来源:SECUNIA
名称:16781
链接:http://secunia.com/advisories/16781/
来源:SREASON
名称:2
链接:http://securityreason.com/securityalert/2
来源:BUGTRAQ
名称:20050912SecurityFlawinpam_per_userModule
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=112654636915661&w;=2