GNOME Bugzilla – Bug 302179
minor security related problems in GDM
Last modified: 2010-06-04 19:41:54 UTC
just for the sake of completeness... From: Thomas Biege To: George Lebl Cc: vendor-sec Subject: [vendor-sec] GDM source-code review made several month ago Hi, last summer I looked at the source-code of GDM and found some minor issues. While cleaning up by bugzilla bugs I saw the results, blew away the dust, and thought it might be interessting for you. ---------------------------------------------------------------------------= ---- - Additional Comment #5 From Thomas Biege 2004-06-09 14:52 MST [reply] checked verify-crypt.c Two bugs found. 1.) password verification done before checking for closed accounts, log= in restrictions or allowed remote logins for root result: even invalid logins can be brute-forced note, syslog messages are emitted for these cases 2.) "anti-brute-force-delay" missing for invalid logins note, syslog messages are emitted for these case Nevertheless the code is in very good style. Stay tuned... - Additional Comment #6 From Thomas Biege 2004-06-14 13:45 MST [reply] checked verify-shadow.c same bug as described in comment #5. Another (nitpicker) issue is that the shadow passwd file can be closed earlier. In this case it is harmless. - Additional Comment #7 From Thomas Biege 2004-06-17 16:49 MST [reply] verify-pam.c: like comment #5 code is much more complex and till now I didn't dig very deep. It includes various hacks and workarounds. (looks like handling PAM isn't easy) Another problem in verity-{crypt,shadow}.c is that for non-existing users= strcmp() and crypt() isn't called. Therefore there is a time-difference between authenticating existing and non-existing users that can be measured. ---------------------------------------------------------------------------= ---- Sorry for not letting you know earlier... I just forgot it. -- Bye, Thomas --
Feel free to provide a patch
Thomas. Thanks for the bug report. To be honest, I'm having trouble understanding exactly what problems you have found. Perhaps you could highlight more clearly what the problems are (what specific functions have issues), or provide a patch that improves the logic?
for example in verify-crypt.c about line 200 you have the block: if (ppasswd == NULL || (ppasswd[0] != '\0' && strcmp (crypt (passwd, ppasswd), ppasswd) != 0)) { This comes before all restrictiones are verified. Therefore brute-forcing the password was even possible if the account is closes. Or think about the policy of denied root logins. This test comes directly after the if-block mentioned above. Better test the password and set a flag like "password_ok" and after verifying all the restrictions print a message to the user like "Couldn't authenticate user ..." (Expired password changing should be done only if the password entered was correct for sure. :) I was not sure where I found the "anti brute force delay" I mentioned above... I looked at the code about 1 year ago and won't do a full review right now. :) Maybe I was wrong here. Are you doing random sleep()s to avoid timing attacks (measure execution path) in your code? Looking quickly at the code I just found one in verify-pam.c... hmmm?
Thanks for taking the time to report this bug. However, you are using a version that is too old and not supported anymore. GNOME developers are no longer working on that version, so unfortunately there will not be any bug fixes for the version that you use. By upgrading to a newer version of GNOME you could receive bug fixes and new functionality. You may need to upgrade your Linux distribution to obtain a newer version of GNOME. Please feel free to reopen this bug if the problem still occurs with a newer version of GNOME.