[Bug 943507] [NEW] libpam-mysql lets you log in with any password when crypt=1 is set and the password field contains an empty string in the user record.

Wed, 29 Feb 2012 11:25:48 -0800 

Public bug reported:

libpam-mysql lets you log in with any password when crypt=1 is set and
the password field contains an empty string in the user record.

The problematic function is the following:
static pam_mysql_err_t pam_mysql_check_passwd(pam_mysql_ctx_t *ctx,
        const char *user, const char *passwd, int null_inhibited)
It is in pam_mysql-0.7RC1/pam_mysql.c.

In this part of the code
                /* ENCRYPT */
                case 1:
                    vresult = strcmp(row[0], crypt(passwd, row[0]));
crypt returns an empty string because of the empty salt provided and this 
matches the empty string from the password record.
So it lets you in with any password.


Here is a sample code to easily reproduce the mentioned behavior.
#include <stdio.h>
#include <crypt.h>
#include <unistd.h>
#include <string.h>

int main(void)
{
  char *userpassword = "abcdef";
  char *sqlpassword = "";
  int vresult = -1;
  //vresult = strcmp(row[0], crypt(passwd, row[0]));
  vresult = strcmp(sqlpassword, crypt(userpassword, sqlpassword));
  printf("vresult: %d\n", vresult);
  return 0;
}

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: libpam-mysql 0.7~RC1-4build2
ProcVersionSignature: Ubuntu 3.0.0-16.28-server 3.0.17
Uname: Linux 3.0.0-16-server x86_64
ApportVersion: 1.23-0ubuntu4
Architecture: amd64
Date: Wed Feb 29 19:57:30 2012
InstallationMedia: Ubuntu-Server 11.10 "Oneiric Ocelot" - Release amd64 
(20111011)
SourcePackage: pam-mysql
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.pam.mysql.conf: [modified]
mtime.conffile..etc.pam.mysql.conf: 2011-05-17T15:57:24

** Affects: pam-mysql (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug oneiric

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/943507

Title:
  libpam-mysql lets you log in with any password when crypt=1 is set and
  the password field contains an empty string in the user record.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam-mysql/+bug/943507/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to