AOH :: HP Unsorted P :: B1A-1416.HTM

pam_captcha username harvest vulnerability



pam_captcha username harvest vulnerability
pam_captcha username harvest vulnerability



pam_captcha is visual text-based CAPTCHA challenge module for PAM that 
uses figlet to generate the CAPTCHAs.

Project site:
http://www.semicomplete.com/projects/pam_captcha/ 

A site with a screen shot:
http://www.michaelboman.org/how-to/securing-ssh-access-with-pam-captcha 

I found a security problem with the pam_captcha. If you enter a username 
that is not a valid user followed by the correct CAPTCHA, you do not get 
prompted for a password. You simply get prompted for another CAPTCHA. 
However, if you enter a username that is a valid user followed by the 
correct CAPTCHA, you will get prompted for a password. This means an 
attacker, or a script/bot could easily harvest a list of valid usernames 
simply by whether or not it prompts for a password after a valid captcha 
entry. I have duplicated this behavior in FreeBSD 8.0 which uses BSD's 
OpenPAM. From what I have seen this module is not compatible with Linux-PAM.

I don't know enough C Fu to propose a patch. Until it is patched the 
solution is to disable pam_captcha in your pam config file. The creator 
of this module seems to think that using this module isn't really even 
necessary.

http://www.semicomplete.com/blog/geekery/pam_captcha_research.html 


- ian

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.