Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » PAM user information disclosure timing vulnerability

PAM user information disclosure timing vulnerability

by Mario Miri on April 18th, 2003 A timing attack has been described in Pluggable Authentication Modules (PAM) which could allow the attacker to determine whether the username is valid. Further response time analysis reveals the information whether the user has restricted or privileged access to the system.


Vulnerable:
Conectiva Linux graficas
Conectiva Linux ecommerce
Conectiva Linux 3.0
Conectiva Linux 4.0
Conectiva Linux 4.1
Conectiva Linux 4.2
Conectiva Linux 5.0
Conectiva Linux 5.1
Conectiva Linux 6.0
Conectiva Linux 7.0
Conectiva Linux 8.0
Debian Linux 2.0
Debian Linux 2.1
Debian Linux 2.2 r3
Debian Linux 2.2 r2
Debian Linux 2.2 r1
Debian Linux 2.2
Debian Linux 2.3
Debian Linux 3.0
FreeBSD 2.1.5
FreeBSD 2.1.6 .1
FreeBSD 2.1.6
FreeBSD 2.1.7 .1
FreeBSD 2.2
FreeBSD 2.2.2
FreeBSD 2.2.3
FreeBSD 2.2.4
FreeBSD 2.2.5
FreeBSD 2.2.6
FreeBSD 2.2.8
FreeBSD 3.0
FreeBSD 3.1
FreeBSD 3.2
FreeBSD 3.3
FreeBSD 3.4
FreeBSD 3.5 -STABLE
FreeBSD 3.5
FreeBSD 3.5.1 -STABLE
FreeBSD 3.5.1 -RELEASE
FreeBSD 3.5.1
FreeBSD 4.0
FreeBSD 4.1
FreeBSD 4.1.1 -STABLE
FreeBSD 4.1.1 -RELEASE
FreeBSD 4.1.1
FreeBSD 4.2 -STABLE
FreeBSD 4.2 -RELEASE
FreeBSD 4.2
FreeBSD 4.3 -STABLE
FreeBSD 4.3 -RELENG
FreeBSD 4.3 -RELEASE
FreeBSD 4.3
FreeBSD 4.4 -STABLE
FreeBSD 4.4 -RELENG
FreeBSD 4.4
FreeBSD 4.5 -STABLE
FreeBSD 4.5 -RELEASE
FreeBSD 4.5
FreeBSD 4.6 -STABLE
FreeBSD 4.6 -RELEASE
FreeBSD 4.6
FreeBSD 4.6.2
FreeBSD 4.7 -STABLE
FreeBSD 4.7 -RELEASE
FreeBSD 4.7
FreeBSD 4.8
FreeBSD 5.0
MandrakeSoft Corporate Server 1.0.1
MandrakeSoft Corporate Server 2.1
MandrakeSoft Linux Mandrake 6.0
MandrakeSoft Linux Mandrake 6.1
MandrakeSoft Linux Mandrake 7.0
MandrakeSoft Linux Mandrake 7.1
MandrakeSoft Linux Mandrake 7.2
MandrakeSoft Linux Mandrake 8.0
MandrakeSoft Linux Mandrake 8.1
MandrakeSoft Linux Mandrake 8.2
MandrakeSoft Linux Mandrake 9.0
MandrakeSoft Linux Mandrake 9.1
MandrakeSoft Multi Network Firewall 8.2
MandrakeSoft Single Network Firewall 7.2
NetBSD 1.0
NetBSD 1.1
NetBSD 1.2
NetBSD 1.2.1
NetBSD 1.3
NetBSD 1.3.1
NetBSD 1.3.2
NetBSD 1.3.3
NetBSD 1.4
NetBSD 1.4.1
NetBSD 1.4.2
NetBSD 1.4.3
NetBSD 1.5
NetBSD 1.5.1
NetBSD 1.5.2
NetBSD 1.5.3
NetBSD 1.6
NetBSD 1.6.1
OpenBSD 2.0
OpenBSD 2.1
OpenBSD 2.2
OpenBSD 2.3
OpenBSD 2.4
OpenBSD 2.5
OpenBSD 2.6
OpenBSD 2.7
OpenBSD 2.8
OpenBSD 2.9
OpenBSD 3.0
OpenBSD 3.1
OpenBSD 3.2
RedHat Linux 2.0
RedHat Linux 2.1
RedHat Linux 3.0.3
RedHat Linux 4.0
RedHat Linux 4.1
RedHat Linux 4.2
RedHat Linux 5.0
RedHat Linux 5.1
RedHat Linux 5.2
RedHat Linux 6.0
RedHat Linux 6.1
RedHat Linux 6.2
RedHat Linux 7.0
RedHat Linux 7.1
RedHat Linux 7.2
RedHat Linux 7.3
RedHat Linux 8.0
RedHat Linux 9.0 i386
S.u.S.E. Linux 4.2
S.u.S.E. Linux 4.3
S.u.S.E. Linux 4.4
S.u.S.E. Linux 4.4.1
S.u.S.E. Linux 5.0
S.u.S.E. Linux 5.1
S.u.S.E. Linux 5.2
S.u.S.E. Linux 5.3
S.u.S.E. Linux 6.0
S.u.S.E. Linux 6.1
S.u.S.E. Linux 6.2
S.u.S.E. Linux 6.3
S.u.S.E. Linux 6.4
S.u.S.E. Linux 7.0
S.u.S.E. Linux 7.1
S.u.S.E. Linux 7.2
S.u.S.E. Linux 7.3
S.u.S.E. Linux 8.0
S.u.S.E. Linux 8.1
S.u.S.E. Linux 8.2
S.u.S.E. Linux Admin-CD for Firewall
S.u.S.E. Linux Connectivity Server
S.u.S.E. Linux Database Server
S.u.S.E. Linux Enterprise Server 7
S.u.S.E. Linux Enterprise Server for S/390
Slackware Linux 2.0
Slackware Linux 2.0.35
Slackware Linux 2.1
Slackware Linux 2.2
Slackware Linux 2.3
Slackware Linux 3.1
Slackware Linux 3.2
Slackware Linux 3.3
Slackware Linux 3.4
Slackware Linux 3.5
Slackware Linux 3.6
Slackware Linux 3.9
Slackware Linux 4.0
Slackware Linux 7.0
Slackware Linux 7.1
Slackware Linux 8.0
Slackware Linux 8.1
Sun Solaris 2.5 _x86
Sun Solaris 2.5
Sun Solaris 2.5.1 _x86
Sun Solaris 2.5.1 _ppc
Sun Solaris 2.5.1
Sun Solaris 2.6 sparc
Sun Solaris 2.6 _x86
Sun Solaris 2.6
Sun Solaris 7.0 _x86
Sun Solaris 7.0
Sun Solaris 8.0 _x86
Sun Solaris 8.0
Sun Solaris 9.0 _x86
Sun Solaris 9.0



Solution:
Currently there are no vendor supplied patches.


Discovered by:
Sebastian Krahmer


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »