COMMAND
pam_mysql
SYSTEMS AFFECTED
All versions of pam_mysql < 0.4.7
PROBLEM
Following is based on a Secure Reality Security Advisory
SRADV00004. pam_mysql is a pluggable authentication module to
allow user authentication against mysql databases. The module
constructs SQL statements using user input (username and password)
without escaping it. This leads to trivial attacks that can
result in the exposure of plaintext passwords/hashes to remote
unauthorized login.
Here's the impact:
- Versions < 0.4 = Possible local exposure of plaintext passwords/hashes
- Versions => 0.4 = Remote unauthorized login
pam_mysql constructs SQL statements using snprintf with %s
parameters containing unescaped user parameters.
Versions < 0.4 used constructed statements like the following:
select password from users where user = '<user>'
The selected password was then checked against the inputted one
(once any required encryption had been applied to the inputted
password). Unlike other SQL servers in MySQL there is no method
by which to break into an entirely new SQL statement so any attack
must be based on manipulating the portion of the string we can
control. In this case input like:
root' into file '/tmp/r00tpassword
will result in the root password (cleartext or hash) being copied
to the temporary directory. This is dependant on the MySQL user
used by pam_mysql having permissions to write server files, a
relatively reliable proposition for this sort of security
software.
Versions => 0.4 developed an alternative statement like the
following
select user from users where user = '<user>' and password = '<pass>'
The module then checks that one row is returned by this query. If
we can guess a username we can gain remote access to the server as
any remotely logable user (dependant on pam_securetty.so and
pam_nologin.so) with a password string like the following
(assuming 'bill' is a known valid username):
' or user = 'bill
SOLUTION
Please upgrade to version 0.4.7 at
http://download.sourceforge.net/pam-mysql/pam_mysql-0.4.7.tar.gz