libpam-mysql lets you log in with any password when crypt=1 is set and the password field contains an empty string in the user record.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pam-mysql (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
libpam-mysql lets you log in with any password when crypt=1 is set and the password field contains an empty string in the user record.
The problematic function is the following:
static pam_mysql_err_t pam_mysql_
const char *user, const char *passwd, int null_inhibited)
It is in pam_mysql-
In this part of the code
/* ENCRYPT */
crypt returns an empty string because of the empty salt provided and this matches the empty string from the password record.
So it lets you in with any password.
Here is a sample code to easily reproduce the mentioned behavior.
#include <stdio.h>
#include <crypt.h>
#include <unistd.h>
#include <string.h>
int main(void)
{
char *userpassword = "abcdef";
char *sqlpassword = "";
int vresult = -1;
//vresult = strcmp(row[0], crypt(passwd, row[0]));
vresult = strcmp(sqlpassword, crypt(userpassword, sqlpassword));
printf("vresult: %d\n", vresult);
return 0;
}
ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: libpam-mysql 0.7~RC1-4build2
ProcVersionSign
Uname: Linux 3.0.0-16-server x86_64
ApportVersion: 1.23-0ubuntu4
Architecture: amd64
Date: Wed Feb 29 19:57:30 2012
InstallationMedia: Ubuntu-Server 11.10 "Oneiric Ocelot" - Release amd64 (20111011)
SourcePackage: pam-mysql
UpgradeStatus: No upgrade log present (probably fresh install)
modified.
mtime.conffile.
Related branches
Changed in pam-mysql (Ubuntu): | |
status: | New → Confirmed |
visibility: | private → public |
Marking this bug as a security vulnerability - looked manually at the source package for Quetzal (the affected line is still there) and tested crypt's erratic behaviour with "perl -e 'print crypt(" testpassword" , "")'" (returns an empty string as described).
Also marking the bug private for the moment.