Ubuntu
pam-mysql package

libpam-mysql lets you log in with any password when crypt=1 is set and the password field contains an empty string in the user record.

Bug #943507 reported by Viktor Pal
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pam-mysql (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

libpam-mysql lets you log in with any password when crypt=1 is set and the password field contains an empty string in the user record.

The problematic function is the following:
static pam_mysql_err_t pam_mysql_check_passwd(pam_mysql_ctx_t *ctx,
        const char *user, const char *passwd, int null_inhibited)
It is in pam_mysql-0.7RC1/pam_mysql.c.

In this part of the code
                /* ENCRYPT */
                case 1:
                    vresult = strcmp(row[0], crypt(passwd, row[0]));
crypt returns an empty string because of the empty salt provided and this matches the empty string from the password record.
So it lets you in with any password.

Here is a sample code to easily reproduce the mentioned behavior.
#include <stdio.h>
#include <crypt.h>
#include <unistd.h>
#include <string.h>

int main(void)
{
  char *userpassword = "abcdef";
  char *sqlpassword = "";
  int vresult = -1;
  //vresult = strcmp(row[0], crypt(passwd, row[0]));
  vresult = strcmp(sqlpassword, crypt(userpassword, sqlpassword));
  printf("vresult: %d\n", vresult);
  return 0;
}

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: libpam-mysql 0.7~RC1-4build2
ProcVersionSignature: Ubuntu 3.0.0-16.28-server 3.0.17
Uname: Linux 3.0.0-16-server x86_64
ApportVersion: 1.23-0ubuntu4
Architecture: amd64
Date: Wed Feb 29 19:57:30 2012
InstallationMedia: Ubuntu-Server 11.10 "Oneiric Ocelot" - Release amd64 (20111011)
SourcePackage: pam-mysql
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.pam.mysql.conf: [modified]
mtime.conffile..etc.pam.mysql.conf: 2011-05-17T15:57:24

Revision history for this message
Viktor Pal (deere) wrote :
Viktor Pal (deere)
Changed in pam-mysql (Ubuntu):
status: New → Confirmed
Revision history for this message
Alessandro Menti (elgaton) wrote :

Marking this bug as a security vulnerability - looked manually at the source package for Quetzal (the affected line is still there) and tested crypt's erratic behaviour with "perl -e 'print crypt("testpassword", "")'" (returns an empty string as described).

Also marking the bug private for the moment.

security vulnerability: no → yes
visibility: public → private
Alessandro Menti (elgaton)
visibility: private → public
Revision history for this message
Alessandro Menti (elgaton) wrote :

Marked public as the issue was already reported upstream (although it was closed due to some mistakes by the reporter: <https://sourceforge.net/tracker/?func=detail&aid=925424&group_id=5741&atid=305741>).

I've researched the issue and made a quick patch for pam_mysql.c, I'm linking the branch I made to this report.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.