]> granicus.if.org Git - linux-pam/commitdiff
pam_userdb: fix password hash comparison
authorDmitry V. Levin <ldv@altlinux.org>
Fri, 24 Jan 2014 22:18:32 +0000 (22:18 +0000)
committerDmitry V. Levin <ldv@altlinux.org>
Mon, 27 Jan 2014 13:22:20 +0000 (13:22 +0000)
Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed
passwords support in pam_userdb, hashes are compared case-insensitively.
This bug leads to accepting hashes for completely different passwords in
addition to those that should be accepted.

Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for
modern password hashes with different lengths and settings, did not
update the hash comparison accordingly, which leads to accepting
computed hashes longer than stored hashes when the latter is a prefix
of the former.

* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed
hash whose length differs from the stored hash length.
Compare computed and stored hashes case-sensitively.
Fixes CVE-2013-7041.

Bug-Debian: http://bugs.debian.org/731368

modules/pam_userdb/pam_userdb.c

index de8b5b1e919f62826bb7d591cba81222b68246c2..ff040e6f8bfa9c3918a641f82efa98a7b8e338ee 100644 (file)
@@ -222,12 +222,15 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
          } else {
            cryptpw = crypt (pass, data.dptr);
 
-           if (cryptpw) {
-             compare = strncasecmp (data.dptr, cryptpw, data.dsize);
+           if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) {
+             compare = memcmp(data.dptr, cryptpw, data.dsize);
            } else {
              compare = -2;
              if (ctrl & PAM_DEBUG_ARG) {
-               pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
+               if (cryptpw)
+                 pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ");
+               else
+                 pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
              }
            };