Golang : Add Query To Detect PAM Authorization Bugs #562
Description
Query PR
Language
GoLang
CVE(s) ID list
This issue is fairly common and was recently found in gogs/gogs and go-gitea/gitea. In this case, the bugs were assigned CVE-2022-0871 and CVE-2022-0905 respectively.
CWE
CWE-285
Report
Using merely pam_authneticate call to grant access to a user can cause security issue. The pam_authenticate call only checks if the username and the password match. It does not check if the account is expired. Hence, a user with an expired login or an expired password can still login.
This PR aims to detect instances were an initiated PAM Transaction invokes the Authenticate method but does not invoke a call to the AcctMgmt method. Due to the nature of the query, I don't expect that may FP's or FN's. There could some unwanted alerts due to test code but to avoid that I filter out all file paths which have test in them.
With this PR, I submit two queries, one using local data flow and the other using global taint flow. The global taint flow one should be more precise but may have a performance penalty while the other local flow one may lead to FN's but should be faster to execute.
A quick run of both these queries on roughly 17 projects can be found in the LGTM runs below.
All of the results appear to be correct. The runs also includes two projects procupineyhairs/gogs_pam and porcupineyhairs/gitea_pam. These are vulnerable versions of the projects mentioned above. The alerts show a valid detection of the CVE. No alerts for the gogs and gitea projects shows detection of the patch correcting the bug.
I am also working on two more PR's for C and Python respectively which detect the same underlying issue.
Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).
- Yes
- No
Blog post link
No response