hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 05:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

CPP: PAM Authorization Bypass

Browse Source 
This PR is similar to my other PRs for
[Python](https://github.com/github/codeql/pull/8595) and
[Golang](https://github.com/github/codeql-go/pull/709).

This PR aims to detect instances were an initiated PAM Transaction invokes the `pam_authenticate` method but does not invoke a call to the pam_acct_mgmt` method. This is bad as a call to `pam_authenticate` only verifies the users credentials. It does not check if the user account is still is a valid state.

If only a call to `pam_authenticate` is used to verify the user, a user with an expired account password would still be able to login. This can be prevented by calling the `pam_acct_mgmt` function after a `pam_authenticate` function.
This commit is contained in:
Porcupiney Hairs
2022-04-03 19:02:26 +05:30
parent 82463c9290
commit 85c751cb7f
7 changed files with 187 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-285/PamAuthorization.expected Normal file
View File

@@ -0,0 +1 @@
| test.cpp:29:11:29:26 | call to pam_authenticate | This PAM authentication call may be lead to an authorization bypass. |

1
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-285/PamAuthorization.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-285/PamAuthorization.ql

59
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-285/test.cpp Normal file
View File

@@ -0,0 +1,59 @@
#include "../../../../../library-tests/dataflow/taint-tests/stl.h"
using namespace std;
#define PAM_SUCCESS 1
typedef struct pam_handle
{
};
int pam_start(std::string servicename, std::string username, int a, struct pam_handle **);
int pam_authenticate(struct pam_handle *, int e);
int pam_acct_mgmt(struct pam_handle *, int e);
bool PamAuthBad(const std::string &username_in,
const std::string &password_in,
std::string &authenticated_username)
{
struct pam_handle *pamh = nullptr; /* pam session handle */
const char *username = username_in.c_str();
int err = pam_start("test", username,
0, &pamh);
if (err != PAM_SUCCESS)
{
return false;
}
err = pam_authenticate(pamh, 0);
if (err != PAM_SUCCESS)
return err;
return true;
}
bool PamAuthGood(const std::string &username_in,
const std::string &password_in,
std::string &authenticated_username)
{
struct pam_handle *pamh = nullptr; /* pam session handle */
const char *username = username_in.c_str();
int err = pam_start("test", username,
0, &pamh);
if (err != PAM_SUCCESS)
{
return false;
}
err = pam_authenticate(pamh, 0);
if (err != PAM_SUCCESS)
return err;
err = pam_acct_mgmt(pamh, 0);
if (err != PAM_SUCCESS)
return err;
return true;
}