Improper Authorization in fredhutch/motuz

Valid

Reported on

Mar 7th 2022

Description

When motuz is configured for PAM authentification it skips checking authorization completely. Therefore unprivileged expired accounts and accounts with expired passwords can still login.

Proof of Concept

You can expire an account with chage -E0 <username> and still login.

Impact

Since disabling an account in PAM still allows to login via ssh-keys, it's common to set accounts to expire if you want to deny access. So accounts who technically don't have any privilege are still allowed to login. To circumvent this, after an successful call to pam_authenticateit is necessary to call pam_acct_mgmt.

References

C3H2-CTF

We are processing your report and will contact the fredhutch/motuz team within 24 hours. a year ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago

ysf submitted a

patch

a year ago

We have contacted a member of the fredhutch/motuz team and are waiting to hear back a year ago

A fredhutch/motuz maintainer validated this vulnerability a year ago

ysf has been awarded the disclosure bounty

The fix bounty is now up for grabs

A fredhutch/motuz maintainer marked this as fixed in 0.2.0 with commit b5a95c a year ago

ysf has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation