7083513 2001-09-10 16:53 +0200  /99 rader/ Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE>
Sänt av: joel@lysator.liu.se
Importerad: 2001-09-11  00:44  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <19141>
Ärende: RUS-CERT Advisory 2001-09:01
------------------------------------------------------------
From: Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE>
To: bugtraq@securityfocus.com
Message-ID: <tgd74zgkqn.fsf@mercury.rus.uni-stuttgart.de>

Vulnerabilities in PAM and NSS modules using a PostgreSQL database

   During investigating the problem described in RUS-CERT Advisory
   2001-08:01, it became evident that a few PAM and NSS modules which
   use PostgreSQL as database backend are vulnerable to SQL code
   injections attacks, too.
   
  Systems Affected
  
   All systems using at least one of the following PAM and NSS
modules:

     * libnss-pgsql 0.9.0 by Joerg Wendland
     * nss_postgresql 0.6.1 by Alessandro Gardich
     * pam-pgsql 0.9.2 by Joerg Wendland
     * pam_pgsql 0.0.3 by Alessandro Gardich
     * pam-pgsql 0.5.1 by Leon J Breedt
       
  Attack vector
  
   For the PAM authentication modules, the ability to attempt a
   password-based login on the system is required to exploit the
   vulnerability. The exact login method (HTTP Authentication, SSH,
   Telnet) does not matter, as long as PAM is used. For the NSS
   database modules, an interactive account is usually required to
   exploit this vulnerability.
   
  Impact
  
   The attack can execute arbitrary SQL statements under the database
   user used for querying the PostgreSQL database. Responses from the
   database backend can be faked. Exploiting the vulnerability in a
   PAM module, an attacker might gain unauthorized access. The
   possibilities of an attacker facing a vulnerable NSS module depend
   heavily on the system configuration and the offered services.
   
  Vulnerability Type
  
   SQL code insertion attack
   
  Description
  
   The problem as already been described in RUS-CERT Advisory
   2001-08:01: An attacker might use specially crafted strings which
   contain embedded SQL statements to fake responses from the
   database backend. If the attacker can attempt logins using a
   suitable PAM-based login procedure (which permits spaces and
   single quotation marks in user names), involving one of the
   vulnerable PAM modules, or can query one of the NSS based handled
   by a vulnerable NSS module, he is able to execute arbitrary SQL
   statements on the database server, under the database user used
   for the query. In addition, data returned by queries can be
   manipulated. This can lead to unauthorized access to the system.
   
  Proposed Solution
  
   We believe that the fact that the essentially the same
   vulnerability is present in many PostgreSQL applications (see also
   RUS-CERT Advisory 2001-08:01) is related to the lack of a suitable
   string quoting function in the PostgreSQL client library (and not
   just to code reuse and overlap among the authors).
   
   Therefore, we propose that a function which escapes characters
   treated specially by the PostgreSQL by replacing them with safe
   character sequences is included in the PostgreSQL client
   library. We provide a mostly untested sample implementation:

     * Escaping Strings in PostgreSQL Queries
       (http://cert.uni-stuttgart.de/doc/postgresql/escape/)
       
  Available Fixes
  
   Joerg Wendland has published fixed versions of his modules.

     * http://sourceforge.net/project/showfiles.php?group_id=24083
       
  Contact Status
  
   RUS-CERT contacted the authors of the vulnerable authentication
   modules on 2001-08-25.
   
  About RUS-CERT
  
   RUS-CERT (http://cert.uni-stuttgart.de/) is the Computer Emergency
   Response Team located at the Computing Center (RUS) of the
   University of Stuttgart, Germany.

  URI for this advisory

   http://cert.uni-stuttgart.de/advisories/postgresql_pam_nss.php

-- 
Florian Weimer 	                  Florian.Weimer@RUS.Uni-Stuttgart.DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898
(7083513) /Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE>/(Ombruten)