pam_mysql is a PAM (pluggable authentication module) module that allows system administrators to setup authentication schemes using MySQL databases as a back-end. Because user input is not checked for SQL query metacharacters, pam_mysql has two vulnerabilities that can lead to local and remote compromise. In versions of pam_mysql prior to 0.4, it is possible for users who have local access to the filesystem to view the passwords or password hashes stored in the database. When a user authenticates, pam_mysql executes this query to retrieve the user's password (or password hash): select password from users where user = '<user>' The value "<user>", the user-supplied login name, is not checked for metacharacters. As a result it is possible to enter a login-name like this: "root' into file /tmp/owned;". This will cause MySQL to write the result of the query (the value of root's password in the database) to a file when it is executed. If it is a password hash, the attacker can then...
pam_mysql is a PAM (pluggable authentication module) module that allows system administrators to setup authentication schemes using MySQL databases as a back-end. Because user input is not checked for SQL query metacharacters, pam_mysql has two vulnerabilities that can lead to local and remote compromise. In versions of pam_mysql prior to 0.4, it is possible for users who have local access to the filesystem to view the passwords or password hashes stored in the database. When a user authenticates, pam_mysql executes this query to retrieve the user's password (or password hash): select password from users where user = '<user>' The value "<user>", the user-supplied login name, is not checked for metacharacters. As a result it is possible to enter a login-name like this: "root' into file /tmp/owned;". This will cause MySQL to write the result of the query (the value of root's password in the database) to a file when it is executed. If it is a password hash, the attacker can then attempt to brute-force it. If it is plaintext the attacker can authenticate normally via pam_mysql as the compromised user (eg, root). There exists a similar vulnerability in pam_mysql version 0.4 that can allow an attacker to completely circumvent the authentication mechanism and perform unauthorized logins. To determine whether the user attempting to authenticate is doing so successfully the pam_mysql module executes this query: select user from users where user = '<user>' and password = '<pass>' The <user> and <pass> values are user-supplied login-name and password values. Unfortunately, like the user value in versions previous to 0.4, they are not checked for metacharacters. So long as the attacker knows a valid username it is possible to exploit this vulnerability and authenticate without a password. If the password value is set to: "' or user = 'bill", MySQL will execute the query as: select user from users where user = '<user>' and password ='' or user ='bill' This query will return a valid result so long as the username exists in the database. The user will then be authenticated as <user>.
