#27: pam_timestamp path traversal issue
-----------------------+------------------------------
Reporter: tmraz | Owner: pam-developers@…
Type: security | Status: new
Priority: major | Component: modules
Version: | Keywords:
Blocked By: | Blocking:
-----------------------+------------------------------
pam_timestamp uses PAM_RUSER and PAM_TTY directly without any checks. If
the user can mainpulate PAM_RUSER and PAM_TTY contents (which is mostly
not possible, but there might be scenarios where it is) he would be able
to get access to a service without proper checking.
See
http://seclists.org/oss-sec/2014/q1/645 for the original report by
Sebastian Krahmer.
I suppose sufficient mitigation would be to look for ".." in both
PAM_RUSER and PAM_TTY and reject authentication attempt if they contain
this string.
I would also document that the module should never be used with services
where the authenticating user can manipulate the PAM_RUSER variable
contents.
--
Ticket URL: <
https://fedorahosted.org/linux-pam/ticket/27>
linux-pam <
http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project