Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: pammys1.htm

Pam_mysql up to 0.4.7 escape character attacks may yield plaintext passwords



    All versions of pam_mysql < 0.4.7


    Following  is  based  on   a  Secure  Reality  Security   Advisory
    SRADV00004.   pam_mysql is  a pluggable  authentication module  to
    allow user  authentication against  mysql databases.   The  module
    constructs SQL statements using user input (username and password)
    without  escaping  it.   This  leads  to  trivial attacks that can
    result in  the exposure  of plaintext  passwords/hashes to  remote
    unauthorized login.

    Here's the impact:

         - Versions < 0.4 = Possible local exposure of plaintext passwords/hashes
         - Versions => 0.4 = Remote unauthorized login

    pam_mysql  constructs  SQL  statements  using  snprintf  with   %s
    parameters containing unescaped user parameters.

    Versions < 0.4 used constructed statements like the following:

        select password from users where user = '<user>'

    The selected password  was then checked  against the inputted  one
    (once any  required encryption  had been  applied to  the inputted
    password).  Unlike other SQL  servers in MySQL there is  no method
    by which to break into an entirely new SQL statement so any attack
    must be  based on  manipulating the  portion of  the string we can
    control.  In this case input like:

        root' into file '/tmp/r00tpassword

    will result in the root password (cleartext or hash) being  copied
    to the temporary directory.   This is dependant on the  MySQL user
    used  by  pam_mysql  having  permissions  to write server files, a
    relatively  reliable  proposition  for   this  sort  of   security

    Versions  =>  0.4  developed  an  alternative  statement  like the

        select user from users where user = '<user>' and password = '<pass>'

    The module then checks that one row is returned by this query.  If
    we can guess a username we can gain remote access to the server as
    any  remotely  logable  user  (dependant  on and  with  a  password   string  like  the   following
    (assuming 'bill' is a known valid username):

        ' or user = 'bill


    Please upgrade to version 0.4.7 at

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH