OpenSSH can mess up Linux-PAM's pam_access
From: Petr Pisar (xpisar_at_fi.muni.cz)
Date: 05/26/05
- Previous message: manu: "looking for scp class on linux and windows"
- Next in thread: Darren Tucker: "Re: OpenSSH can mess up Linux-PAM's pam_access"
- Reply: Darren Tucker: "Re: OpenSSH can mess up Linux-PAM's pam_access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 26 May 2005 20:40:11 GMT
Hello,
I have found out, that if attacker can fake forward and reverse DNS
lookups, then pam_access can think the attacker is connected from
somewhere else (e.g. from priviledge host).
Let's have these steps:
1. /etc/security/access.conf at victim's server:
-:root:ALL EXCEPT 127.0.0.1
and /etc/pam.d/sshd contains:
account required pam_access.so
2. attacker connect's from 1.2.3.4 to the server
3. sshd does gethostbyaddr("1.2.3.4")
4. attacker response "localhost."
5. sshd does gethostbyname("localhost.")
6. attacker response "1.2.3.4"
7. sshd finds out DNS check passed and sets PAM_RHOST to "localhost"
8. sshd invokes PAM authentication proccess via pam_authenticate()
9. libpam invokes indirectely match_from() in pam_access.so
10. match_from() does gethostbyname("localhost")
11. match_from() recives properly "127.0.0.1"
12. match_from() found match in /etc/security/access.conf
13. and finaly pam_access returns PAM_SUCCESS
Proposed fix: sshd should always put rhost IP address to the PAM.
pam_access is vulnerable only if config file contains domain names. On
the other hand configuration based on IP addresses is resistent.
--Petr Pisar
- Previous message: manu: "looking for scp class on linux and windows"
- Next in thread: Darren Tucker: "Re: OpenSSH can mess up Linux-PAM's pam_access"
- Reply: Darren Tucker: "Re: OpenSSH can mess up Linux-PAM's pam_access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
