| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 06 Jul 2010 08:04:12 -1000 From: Ian Maguire <imaguire@...erb.net> To: bugtraq@...urityfocus.com, jls@...icomplete.com Subject: pam_captcha username harvest vulnerability pam_captcha is visual text-based CAPTCHA challenge module for PAM that uses figlet to generate the CAPTCHAs. Project site: http://www.semicomplete.com/projects/pam_captcha/ A site with a screen shot: http://www.michaelboman.org/how-to/securing-ssh-access-with-pam-captcha I found a security problem with the pam_captcha. If you enter a username that is not a valid user followed by the correct CAPTCHA, you do not get prompted for a password. You simply get prompted for another CAPTCHA. However, if you enter a username that is a valid user followed by the correct CAPTCHA, you will get prompted for a password. This means an attacker, or a script/bot could easily harvest a list of valid usernames simply by whether or not it prompts for a password after a valid captcha entry. I have duplicated this behavior in FreeBSD 8.0 which uses BSD's OpenPAM. From what I have seen this module is not compatible with Linux-PAM. I don't know enough C Fu to propose a patch. Until it is patched the solution is to disable pam_captcha in your pam config file. The creator of this module seems to think that using this module isn't really even necessary. http://www.semicomplete.com/blog/geekery/pam_captcha_research.html - ian
Powered by blists - more mailing lists