Improper Authorization and possible DoS when using PAM Auth in bareos/bareos
Mar 6th 2022
When bareos versions after 18.2 are build and configured for PAM authentification it skips checking authorization completely. Expired accounts and accounts with expired passwords can still login. Further after wrong authentication or the code returns without releasing the PAM handle, thus assigning memory without releasing it.
Proof of Concept
You can expire an account with
chage -E0 <username> and still login.
Since disabling an account in PAM still allows to login via ssh-keys, it's common to set accounts to expire if you want to deny access. So accounts who technically don't have any privilege are still allowed to login. To circumvent this, after an successful call to
pam_authenticate it is necessary to call
pam_acct_mgmt for authorization purposes.
Because of not releasing the PAM memory after unsuccessful tries, it is theoreticaly possible to occupy memory resulting in a DoS.