Sie sind hier: Home » Aktuelle Meldungen » RUS-CERT Security Advisories » RUS-CERT Advisory 2001-09:01 - Vulnerabilities in PAM and NSS modules using a PostgreSQL database

Vulnerabilities in PAM and NSS modules using a PostgreSQL database

During the investigation of the problem described in RUS-CERT Advisory 2001-08:01, it became evident that a few PAM and NSS modules which use PostgreSQL as database backend are vulnerable to SQL code injection attacks, too.

Systems Affected

All systems using at least one of the following PAM and NSS modules:

  • libnss-pgsql 0.9.0 by Joerg Wendland
  • nss_postgresql 0.6.1 by Alessandro Gardich
  • pam-pgsql 0.9.2 by Joerg Wendland
  • pam_pgsql 0.0.3 by Alessandro Gardich
  • pam-pgsql 0.5.1 by Leon J Breedt

Attack vector

For the PAM authentication modules, the ability to attempt a password-based login on the system is required to exploit the vulnerability. The exact login method (HTTP Authentication, SSH, Telnet) does not matter, as long as PAM is used. For the NSS database modules, an interactive account is usually required to exploit this vulnerability.

Impact

The attack can execute arbitrary SQL statements under the database user used for querying the PostgreSQL database. Responses from the database backend can be faked. Exploiting the vulnerability in a PAM module, an attacker might gain unauthorized access. The possibilities of an attacker facing a vulnerable NSS module strongly depend on the system configuration and the offered services.

Vulnerability Type

SQL code insertion attack

Description

The problem has already been described in RUS-CERT Advisory 2001-08:01: An attacker might use specially crafted strings containing embedded SQL statements in order to fake responses from the database backend.

If the attacker can attempt logins using a suitable PAM-based login procedure (which permits spaces and single quotation marks in user names), involving one of the vulnerable PAM modules, or can query one of the NSS based handled by a vulnerable NSS module, he is able to execute arbitrary SQL statements on the database server, under the database account used for the query. In addition, data returned by queries can be manipulated. This can lead to unauthorized access to the system.

Proposed Solution

We believe that the fact that essentially the same vulnerability is present in many PostgreSQL applications (see also RUS-CERT Advisory 2001-08:01) is related to the lack of a suitable string quoting function in the PostgreSQL client library (and not just to code reuse and overlap among the authors).

Therefore, we propose to include a function into the PostgreSQL client library libpq which escapes characters treated specially by PostgreSQL, replacing them with safe character sequences.

Available Fixes

Joerg Wendland has published fixed versions of his modules.

Contact Status

RUS-CERT contacted the authors of the vulnerable authentication modules on 2001-08-25.

About RUS-CERT

RUS-CERT is the Computer Emergency Response Team located at the Computing Center (RUS) of the University of Stuttgart, Germany.