Wednesday, October 22, 2008

PAM spam

About PAM, the cool Pluggable Authentication Modules common across
all major Linux dists.

I recently was involved in a project that used PAM to authenticate users via some
special kind of hardware. A note to developers and reviewers: keep in mind
that pam_syslog() and pam_prompt() expect a format string as argument.
In case you write your own log-wrapping code which expects format strings itself,
you still need to pass resulting strings via the "%s" format specifier to these pam functions!
Keep in mind that attackers may pass
strings like "%%s%%n" to the first (correct) format-resolver which open a format string vulnerability
to following incorrect calls as it is shrinked to "%s%n".

No comments: