CVE-2005-2977
CVSS2.1
发布时间 :2005-11-01 07:47:00
修订时间 :2011-03-07 21:25:23
NMCOS    

[原文]The SELinux version of PAM before 0.78 r3 allows local users to perform brute force password guessing attacks via unix_chkpwd, which does not log failed guesses or delay its responses.


[CNNVD]PAM Unix_Chkpwd暴力密码破解漏洞(CNNVD-200511-040)

        PAM(可插拔认证模块)系统安全工具允许系统管理员无需重新编译处理认证的程序便可设置认证策略。
        如果启用了SELinux的话,PAM的unix_chkpwd帮助程序验证用户口令的方式存在漏洞,成功利用这个漏洞的攻击者可能猜到其他用户的口令,获得非授权访问。
        在通常的环境下,本地非root用户无法通过unix_chkpwd命令验证其他本地用户的口令,但应用补丁添加了SELinux功能,导致本地用户可以对其他本地用户帐号暴力猜测口令:
        在SELinux补丁中:
         /*
        - * determine the current user's name is
        + * determine the current user's name is.
        + * On a SELinux enabled system, policy will prevent third
        parties from using
        + * unix_chkpwd as a password guesser. Leaving the existing
        check prevents
        + * su from working, Since the current uid is the users and the
        password is
        + * for root.
         */
        - user = getuidname(getuid());
        - if (argc == 2) {
        - /* if the caller specifies the username, verify that user
        - matches it */
        - if (strcmp(user, argv[1])) {
        - force_failure = 1;
        - }
        + if (SELINUX_ENABLED) {
        + user=argv[1];
        + }
        + else {
        + user = getuidname(getuid());
        + /* if the caller specifies the username, verify that user
        + matches it */
        + if (strcmp(user, argv[1])) {
        + return PAM_AUTH_ERR;
        + }
        + }
        可见如果将SELinux设置为permissive模式的话可以正常运行unix_chkpwd,但即使设置为enforcing模式仍可运行。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10193The SELinux version of PAM before 0.78 r3 allows local users to perform brute force password guessing attacks via unix_chkpwd, which does no...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2977
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2977
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200511-040
(官方数据源) CNNVD

- 其它链接及资源

http://www.gentoo.org/security/en/glsa/glsa-200510-22.xml
(VENDOR_ADVISORY)  GENTOO  GLSA-200510-22
http://secunia.com/advisories/17365
(VENDOR_ADVISORY)  SECUNIA  17365
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168181
(UNKNOWN)  MISC  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168181
http://www.vupen.com/english/advisories/2005/2227
(UNKNOWN)  VUPEN  ADV-2005-2227
http://securitytracker.com/id?1015111
(UNKNOWN)  SECTRACK  1015111
http://cvs.sourceforge.net/viewcvs.py/pam/Linux-PAM/NEWS?rev=1.6&view=markup
(UNKNOWN)  CONFIRM  http://cvs.sourceforge.net/viewcvs.py/pam/Linux-PAM/NEWS?rev=1.6&view=markup
http://www.securityfocus.com/bid/15217
(UNKNOWN)  BID  15217
http://www.redhat.com/support/errata/RHSA-2005-805.html
(UNKNOWN)  REDHAT  RHSA-2005:805
http://secunia.com/advisories/17352
(UNKNOWN)  SECUNIA  17352
http://secunia.com/advisories/17350
(UNKNOWN)  SECUNIA  17350
http://secunia.com/advisories/17346
(UNKNOWN)  SECUNIA  17346

- 漏洞信息

PAM Unix_Chkpwd暴力密码破解漏洞
低危 设计错误
2005-11-01 00:00:00 2005-11-15 00:00:00
本地  
        PAM(可插拔认证模块)系统安全工具允许系统管理员无需重新编译处理认证的程序便可设置认证策略。
        如果启用了SELinux的话,PAM的unix_chkpwd帮助程序验证用户口令的方式存在漏洞,成功利用这个漏洞的攻击者可能猜到其他用户的口令,获得非授权访问。
        在通常的环境下,本地非root用户无法通过unix_chkpwd命令验证其他本地用户的口令,但应用补丁添加了SELinux功能,导致本地用户可以对其他本地用户帐号暴力猜测口令:
        在SELinux补丁中:
         /*
        - * determine the current user's name is
        + * determine the current user's name is.
        + * On a SELinux enabled system, policy will prevent third
        parties from using
        + * unix_chkpwd as a password guesser. Leaving the existing
        check prevents
        + * su from working, Since the current uid is the users and the
        password is
        + * for root.
         */
        - user = getuidname(getuid());
        - if (argc == 2) {
        - /* if the caller specifies the username, verify that user
        - matches it */
        - if (strcmp(user, argv[1])) {
        - force_failure = 1;
        - }
        + if (SELINUX_ENABLED) {
        + user=argv[1];
        + }
        + else {
        + user = getuidname(getuid());
        + /* if the caller specifies the username, verify that user
        + matches it */
        + if (strcmp(user, argv[1])) {
        + return PAM_AUTH_ERR;
        + }
        + }
        可见如果将SELinux设置为permissive模式的话可以正常运行unix_chkpwd,但即使设置为enforcing模式仍可运行。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        http://lwn.net/Alerts/157169/?format=printable

- 漏洞信息

20351
PAM with SELinux unix_chkpwd Arbitrary Account Brute Force Weakness

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-10-26 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

PAM Unix_Chkpwd Unauthorized Access Vulnerability
Design Error 15217
No Yes
2005-10-26 12:00:00 2005-10-26 12:00:00
This issue was disclosed in the referenced RedHat Fedora advisory.

- 受影响的程序版本

RedHat Enterprise Linux WS 4
RedHat Enterprise Linux ES 4
RedHat Desktop 4.0
Red Hat Fedora Core4
Red Hat Fedora Core3
Red Hat Enterprise Linux AS 4
Linux-PAM Linux-PAM 0.77
Gentoo Linux

- 漏洞讨论

The PAM unix_chkpwd command is prone to an unauthorized access vulnerability.

A local attacker can exploit this vulnerability to perform brute force attacks to obtain the valid passwords of other local users.

- 漏洞利用

No exploit is required.

- 解决方案

RedHat Fedora has released security advisory FEDORA-2005-1030 addressing this issue for Fedora Core 3. Users are advised to see the referenced advisory for details on obtaining and applying the appropriate updates.

RedHat has released security advisory RHSA-2005:805-6 addressing this issue for their Desktop and Enterprise 4 platforms. Please see the referenced Web advisory for further information.

RedHat Fedora has released security advisory FEDORA-2005-1031 addressing this issue for Fedora Core 4. Users are advised to see the referenced advisory for details on obtaining and applying the appropriate updates.

Gentoo has released advisory GLSA 200510-22 and fixes to address this issue. To obtain fixes, users should execute the following:

emerge --sync
emerge --ask --oneshot --verbose ">=sys-libs/pam-0.78-r3"

--
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站