Bug#385774: libpam-krb5 fails / DOS

Sat, 02 Sep 2006 16:53:33 -0700 

Package:                libpam-krb5
Version:                2.2-1
Severity:               serious

Hello *,
The pam_krb5.so module provides a callback function that queries users for their passwords or displays informational messages. This callback is registered to various Kerberos functions. All of these Kerberos functions usually call the callback with ONE message string only. 

This works perfectly fine.
However, if a user is to change her password, Kerberos will call the callback with THREE messages: 
i)   Password expired.  You must change it now.
ii)  Enter new password:
iii) Enter it again:

The array of pointers to these messages is handled incorrectly.
It is processed as:
        one single pointer pointing to an array of pam_messages.

However, PAM expects it to be:
        an array of pointers, each pointing to one single pam_message

This makes no difference for one single message, of course.
Hence, the module works perfectly in most circumstances.
However, in the above case, when three messages are to be displayed, it fails. Either authentication is denied or the module segfaults, which is no better ;-)
Users who have to change their passwords are effectively locked out, yielding a Denial Of Service. 

Attached patches correct the pointer arithmetics and solve the problem.
I suggest that these patches are merged into the Debian and the Ubuntu packages.
(For the debian report: the package has been built from the debian sources on a Ubuntu system) 


Reproduction:


[EMAIL PROTECTED]:~# kadmin.local -q "modprinc +needchange klbuch"
Authenticating as principal root/[EMAIL PROTECTED] with password.
Principal "[EMAIL PROTECTED]" modified.
[EMAIL PROTECTED]:~# login klbuch
Password:
Password expired.  You must change it now.
erroneous conversation (491120)
Login incorrect

master login:


With patch applied:


[EMAIL PROTECTED]:~# kadmin.local -q "modprinc +needchange klbuch"
Authenticating as principal root/[EMAIL PROTECTED] with password.
Principal "[EMAIL PROTECTED]" modified.
[EMAIL PROTECTED]:~# login klbuch
Password:
Password expired.  You must change it now.
Enter new password:
Enter it again:
Last login: Sun Sep  3 02:19:51 2006 on pts/4
Linux master 2.6.15-23-server #1 SMP Tue May 23 15:10:35 UTC 2006 i686 GNU/Linux 
[...]


Regards,
Joachim

Attachment: libpam-krb5-2.2.REQUIRED_PWCHANGE.patch
Description: Binary data

Attachment: libpam-krb5_1.2.0.REQUIRED_PWCHANGE.patch
Description: Binary data

Reply via email to