|
|
 |
| New User, Welcome! Login |
pam_captcha username harvest vulnerability
| From: |
Ian Maguire <imaguire superb net> |
| To: |
bugtraq securityfocus com, jls semicomplete com |
| Cc: |
|
| Subject: |
pam_captcha username harvest vulnerability |
| Date: |
Tue - Jul 06, 2010 11:12 AM |
pam_captcha is visual text-based CAPTCHA challenge module for PAM that
uses figlet to generate the CAPTCHAs.
Project site:
http://www.semicomplete.com/projects/pam_captcha/
A site with a screen shot:
http://www.michaelboman.org/how-to/securing-ssh-access-with-pam-captcha
I found a security problem with the pam_captcha. If you enter a username
that is not a valid user followed by the correct CAPTCHA, you do not get
prompted for a password. You simply get prompted for another CAPTCHA.
However, if you enter a username that is a valid user followed by the
correct CAPTCHA, you will get prompted for a password. This means an
attacker, or a script/bot could easily harvest a list of valid usernames
simply by whether or not it prompts for a password after a valid captcha
entry. I have duplicated this behavior in FreeBSD 8.0 which uses BSD's
OpenPAM. From what I have seen this module is not compatible with Linux-PAM.
I don't know enough C Fu to propose a patch. Until it is patched the
solution is to disable pam_captcha in your pam config file. The creator
of this module seems to think that using this module isn't really even
necessary.
http://www.semicomplete.com/blog/geekery/pam_captcha_research.html
- ian
|
|
|
Copyright © 1995-2012 LinuxRocket.net. All rights reserved.
Nearly all of LinuxRocket's features are free. Be kind and donate to the cause!
