Secure testing team - May 2008 - Bug#481970: libpam-pgsql: <Ctrl+C> while in authentication phase induces success, may circumvent sudo et al.

Package: libpam-pgsql
Version: 0.6.3-1
Severity: critical
Tags: security
Justification: root security hole

I recently upgraded libpam-pgsql to 0.6.3-1.  I now noticed that
pressing <Ctrl+C> during libpam-pgsql''s authentication phase,
e.g., when
sudo is asking for the user''s password, erroneously causes sudo to
succeed as if the user had entered the correct password, IF pam_pgsql.so
has been configured as a "sufficient" authentication module in the
system''s PAM setup.

I am attaching my /etc/pam.d/common-auth and /etc/pam.d/sudo files for
illustration.  Only the former has been changed from the PAM defaults.

Here''s a transcript demonstrating the effect:

| io:~> id
| uid=1004(julian) gid=100(users)
groups=0(root),4(adm),8(mail),32(postgres),40(src),50(staff),100(users),[...]
| io:~> sudo -k
| io:~> sudo id
| [sudo] password for julian: ^C
| uid=0(root) gid=0(root) groups=0(root),4(adm)

Even though pam_pgsql.so is not configured as a "sufficient" auth
module
by default, I consider this a critical security issue in the libpam-
pgsql package.  Feel free to downgrade the severity if you think
otherwise.


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (600, ''testing''), (90,
''unstable'')
Architecture: i386 (i586)

Kernel: Linux 2.6.24-1-486
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libpam-pgsql depends on:
ii  libc6                         2.7-10     GNU C Library: Shared libraries
ii  libmhash2                     0.9.9-1    Library for cryptographic hashing 
ii  libpam0g                      0.99.7.1-6 Pluggable Authentication Modules l
ii  libpq5                        8.3.1-1    PostgreSQL C client library

libpam-pgsql recommends no packages.

-- no debconf information
-------------- next part --------------
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#

# USM login authentication
auth    sufficient      pam_pgsql.so table=auth.login

# Standard Un*x authentication. The "nullok" line allows passwordless
# accounts.
auth    required        pam_unix.so nullok try_first_pass
-------------- next part --------------
#%PAM-1.0

@include common-auth
@include common-account

session required pam_permit.so
session required pam_limits.so