thr3ads.net - Secure testing team - [Secure-testing-team] Bug#498236: libpam-modules: Login incorrect message after entering non-existent login name [Sep 2008]

If this information is useful, please help other people find it:
Share via:

Roberto Lumbreras

2008-Sep-08 11:50 UTC

[Secure-testing-team] Bug#498236: libpam-modules: Login incorrect message after entering non-existent login name

Package: libpam-modules
Version: 0.99.7.1-7
Severity: grave
Tags: security
Justification: user security hole


In the console login prompt entering a non-existent login you get
a "Login incorrect" message WITHOUT being asked for any password.

This is a serious security hole, because pam are revealing information
about the accounts there are in the system.

Version 1.0.1 of the pam packages seem to have the same problem.

Regards,
Roberto Lumbreras

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, ''testing''), (500,
''stable'')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-1-686 (SMP w/2 CPU cores)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libpam-modules depends on:
ii  libc6                         2.7-10     GNU C Library: Shared libraries
ii  libdb4.6                      4.6.21-8   Berkeley v4.6 Database Libraries [
ii  libpam0g                      0.99.7.1-7 Pluggable Authentication Modules l
ii  libselinux1                   2.0.59-1   SELinux shared libraries

libpam-modules recommends no packages.

libpam-modules suggests no packages.

-- no debconf information

Secure testing team - Sep 2008 - Bug#498236: libpam-modules: Login incorrect message after entering non-existent login name

[Secure-testing-team] Bug#498236: libpam-modules: Login incorrect message after entering non-existent login name