Python : Improve the PAM authentication bypass query

The current PAM auth bypass query which was contributed by me a few months back, alert on a vulenrable function but does not check if the function is actually function. This leads to a lot of fasle positives. With this PR, I add a taint-tracking configuration to check if the username parameter can actually be supplied by an attacker. This should bring the FP's significantly down.
2025-12-20 02:44:30 +01:00 · 2022-10-03 02:31:43 +05:30
parent a964325724
commit db231a111c
7 changed files with 158 additions and 27 deletions
--- a/python/ql/lib/change-notes/2022-11-17-py-pam-improve.md
+++ b/python/ql/lib/change-notes/2022-11-17-py-pam-improve.md
@@ -0,0 +1,4 @@
+---
+ category: majorAnalysis
+---
+* Converted `py/pam-auth-bypass` to a data-flow query, resulting in significantly lower false positives.
--- a/python/ql/lib/semmle/python/security/dataflow/PamAuthorization.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/PamAuthorization.qll
@@ -0,0 +1,44 @@
+/**
+ * Provides a taint-tracking configuration for detecting "PAM Authorization" vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `PamAuthorization::Configuration` is needed, otherwise
+ * `PamAuthorizationCustomizations` should be imported instead.
+ */
+
+import python
+import semmle.python.ApiGraphs
+import semmle.python.dataflow.new.TaintTracking
+import PamAuthorizationCustomizations::PamAuthorizationCustomizations
+
+/**
+ * Provides a taint-tracking configuration for detecting "PAM Authorization" vulnerabilities.
+ */
+module PamAuthorization {
+  /**
+   * A taint-tracking configuration for detecting "PAM Authorization" vulnerabilities.
+   */
+  class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "RemoteToPam" }
+
+    override predicate isSource(DataFlow::Node node) { node instanceof Source }
+
+    override predicate isSink(DataFlow::Node node) { node instanceof Sink }
+
+    override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+      // Models flow from a remotely supplied username field to a PAM `handle`.
+      // `retval = pam_start(service, username, byref(conv), byref(handle))`
+      exists(API::CallNode pamStart, DataFlow::Node handle, API::CallNode pointer |
+        pointer = API::moduleImport("ctypes").getMember(["pointer", "byref"]).getACall() and
+        pamStart = libPam().getMember("pam_start").getACall() and
+        pointer = pamStart.getArg(3) and
+        handle = pointer.getArg(0) and
+        pamStart.getArg(1) = node1 and
+        handle = node2
+      )
+      or
+      // Flow from handle to the authenticate call in the final step
+      exists(VulnPamAuthCall c | c.getArg(0) = node1 | node2 = c)
+    }
+  }
+}
--- a/python/ql/lib/semmle/python/security/dataflow/PamAuthorizationCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/PamAuthorizationCustomizations.qll
@@ -0,0 +1,61 @@
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "PAM Authorization" vulnerabilities.
+ */
+
+import python
+import semmle.python.ApiGraphs
+import semmle.python.dataflow.new.TaintTracking
+import semmle.python.dataflow.new.RemoteFlowSources
+
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "PAM Authorization" vulnerabilities.
+ */
+module PamAuthorizationCustomizations {
+  /**
+   * Models a node corresponding to the `pam` library
+   */
+  API::Node libPam() {
+    exists(API::CallNode findLibCall, API::CallNode cdllCall |
+      findLibCall =
+        API::moduleImport("ctypes").getMember("util").getMember("find_library").getACall() and
+      findLibCall.getParameter(0).getAValueReachingSink().asExpr().(StrConst).getText() = "pam" and
+      cdllCall = API::moduleImport("ctypes").getMember("CDLL").getACall() and
+      cdllCall.getParameter(0).getAValueReachingSink() = findLibCall
+    |
+      result = cdllCall.getReturn()
+    )
+  }
+
+  /**
+   * A data flow source for "PAM Authorization" vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for "PAM Authorization" vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A source of remote user input, considered as a flow source.
+   */
+  class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
+
+  /**
+   * A vulnerable `pam_authenticate` call considered as a flow sink.
+   */
+  class VulnPamAuthCall extends API::CallNode, Sink {
+    VulnPamAuthCall() {
+      exists(DataFlow::Node h |
+        this = libPam().getMember("pam_authenticate").getACall() and
+        h = this.getArg(0) and
+        not exists(API::CallNode acctMgmtCall |
+          acctMgmtCall = libPam().getMember("pam_acct_mgmt").getACall() and
+          DataFlow::localFlow(h, acctMgmtCall.getArg(0))
+        )
+      )
+    }
+  }
+}