my_make_scrambled_password() is not a replacement for make_scrambled_password()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pam-mysql (Ubuntu) |
Fix Released
|
High
|
Andreas Hasenack | ||
vsftpd (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
artful libpam-
TL;DR
pam_mysql in artful will in the best case scenario just fail to authenticate users whose passwords were hashed with the server-side PASSWORD() SQL function. There is a buffer overflow happening, but it doesn't trigger a crash for some reason.
Detailed explanation follows.
pam_mysql, when crypt=2 is set in its configuration, it expects the password to be hashed according to the server-side PASSWORD() SQL function. From its README:
2 (or "mysql") = Use MySQL PASSWORD() function. It is possible that the encryption function used by PAM-MySQL is different from that of the MySQL server, as PAM-MySQL uses the function defined in MySQL's C-client API instead of using PASSWORD() SQL function in the query.
pam_mysql is indeed using an incorrect hash function: it's using my_make_
char buf[42];
my_make_
vresult = strcmp(row[0], buf);
row[0] is the result of the SQL query that fetches the user's password hash
There are two problems with this:
a) my_make_
#define CRYPT_SALT_LENGTH 20
#define CRYPT_MAGIC_LENGTH 3
#define CRYPT_PARAM_LENGTH 13
#define SHA256_HASH_LENGTH 43
#define CRYPT_MAX_
42 is the length of the hexified hash produced by make_scrambled_
b) the output of my_make_
If my_make_
So, if mysqlclient doesn't export my_make_
To reproduce this problem, setup mysql, vsftpd and libpam-mysql on artful as explained in bug #1574900.
I cannot explain why vsftpd doesn't crash in this scenario in artful: gcc's stack protector isn't triggered, nor is a segfault. In debugging I can see the buf variable getting way more than 42 bytes written to it, and if I add another stack variable next to it, it gets corrupted. But no crashes, just an authentication error.
Changed in pam-mysql (Ubuntu): | |
status: | New → Confirmed |
Changed in vsftpd (Ubuntu): | |
status: | Confirmed → Invalid |
summary: |
- vsftpd 500 oops stack smashing detected - Ubuntu 16.04 + my_make_scrambled_password() is not a replacement for + make_scrambled_password() |
description: | updated |
description: | updated |
description: | updated |
Changed in pam-mysql (Ubuntu): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
status: | Confirmed → In Progress |
importance: | Undecided → High |
Nevermind, this is caused by the broken libpam-mysql package. Close bug.