Package: libpam-opie Version: 0.21-8 Severity: normal Tags: security There is a memory leak in pam_opie where the authentication token (the OTP string) returned by the application is not freed. This means leaking the size of the one-time password reply given at every authentication attempt. Freeing that string is the responsibility of the module, although the PAM Module Writers' Guide could be more clear about it. I suggest using the _pam_drop_reply() macro to clean the reply.
Also in addition to not clearing and freeing the token, a copy of the
OTP string is free()d without clearing. While due to the nature of
opie this is not critical, it's definitely not good practice (and
given enough resources, I think approximately O(2^64) effort, a single
challenge/response pair is enough to break the system). This
information leak could be, and should be, easily avoided.
I don't have a suitable test system available right now so I won't try
to write a patch without testing it, but I can point out what I think
needs to be done. From pam_opie.c, function pam_sm_authenticate():
------------------------------------------------------------
retval = converse(pamh, 1, pmsg, &resp);
if (retval != PAM_SUCCESS)
return retval;
tok = xstrdup(resp[0].resp);
if (resp != NULL) free(resp);
pam_set_item(pamh, PAM_AUTHTOK, tok);
/* test the response and return accordingly */
retval = opieverify(&opie, tok);
if (tok != NULL) free(tok);
------------------------------------------------------------
Here replace the
if (resp != NULL) free(resp);
with
_pam_drop_reply(resp, 1);
This macro resides in <security/_pam_macros.h>, so #include that. It
takes care of not only freeing resp, but also clearing and freeing the
returned string.
Also before the
if (tok != NULL) free(tok);
its memory should be overwritten with something like
int i, l;
l = strlen(tok);
for (i=0; i<l; i++)
tok[i]=0;
to prevent the OTP response leak.
Sami
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.20.4-grsec-sli
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages libpam-opie depends on:
ii libc6 2.5-3 GNU C Library: Shared libraries
ii libpam0g 0.79-4 Pluggable Authentication Modules l
Versions of packages libpam-opie recommends:
ii opie-server 2.32-10.2 OPIE programs for maintaining an O
-- no debconf information
signature.asc
Description: Digital signature
