Merge pull request #9108 from RasmusWL/promote-pam

Python: Promote `py/pam-auth-bypass`
2026-05-02 04:05:14 +02:00 · 2022-05-23 15:27:12 +02:00
parent 04ca9cfaf4 6611e5b4b8
commit 3745526d69
12 changed files with 62 additions and 38 deletions
--- a/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.expected
+++ b/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.expected
@@ -0,0 +1 @@
+| pam_test.py:48:18:48:44 | ControlFlowNode for pam_authenticate() | This PAM authentication call may lead to an authorization bypass, since 'pam_acct_mgmt' is not called afterwards. |
--- a/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.qlref
+++ b/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.qlref
@@ -0,0 +1 @@
+Security/CWE-285/PamAuthorization.ql
--- a/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/pam_test.py
+++ b/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/pam_test.py
@@ -0,0 +1,63 @@
+from ctypes import CDLL, POINTER, Structure, byref
+from ctypes import c_char_p, c_int
+from ctypes.util import find_library
+
+
+class PamHandle(Structure):
+    pass
+
+
+class PamMessage(Structure):
+    pass
+
+
+class PamResponse(Structure):
+    pass
+
+
+class PamConv(Structure):
+    pass
+
+# this is normal way to do things
+libpam = CDLL(find_library("pam"))
+
+# but we also handle assignment to temp variable
+temp = find_library("pam")
+libpam = CDLL(temp)
+
+pam_start = libpam.pam_start
+pam_start.restype = c_int
+pam_start.argtypes = [c_char_p, c_char_p, POINTER(PamConv), POINTER(PamHandle)]
+
+pam_authenticate = libpam.pam_authenticate
+pam_authenticate.restype = c_int
+pam_authenticate.argtypes = [PamHandle, c_int]
+
+pam_acct_mgmt = libpam.pam_acct_mgmt
+pam_acct_mgmt.restype = c_int
+pam_acct_mgmt.argtypes = [PamHandle, c_int]
+
+
+class pam():
+
+    def authenticate_bad(self, username, service='login'):
+        handle = PamHandle()
+        conv = PamConv(None, 0)
+        retval = pam_start(service, username, byref(conv), byref(handle))
+
+        retval = pam_authenticate(handle, 0)
+        auth_success = retval == 0
+
+        return auth_success
+
+    def authenticate_good(self, username, service='login'):
+        handle = PamHandle()
+        conv = PamConv(None, 0)
+        retval = pam_start(service, username, byref(conv), byref(handle))
+
+        retval = pam_authenticate(handle, 0)
+        if retval == 0:
+            retval = pam_acct_mgmt(handle, 0)
+        auth_success = retval == 0
+
+        return auth_success
				`@@ -0,0 +1 @@`
				`\| pam_test.py:48:18:48:44 \| ControlFlowNode for pam_authenticate() \| This PAM authentication call may lead to an authorization bypass, since 'pam_acct_mgmt' is not called afterwards. \|`