+++ This bug was initially created as a clone of Bug #243204 +++ Description of problem: The logging of failed logins can be used to inject bad information into audit logs. Example: ssh -l "fakeuser auid=1234 tty=pty1 host=127.0.0.1" victim causes: type=USER_AUTH msg=audit(06/07/2007 11:04:14.429:101) : user pid=8151 uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM: authentication acct=fakeuser auid=unknown(1234) tty=pty1 host=127.0.0.1 : exe=/usr/sbin/sshd (hostname=discovery.redhat.com, addr=192.168.1.171, terminal=ssh res=failed)' Version-Release number of selected component (if applicable): all recent versions -- Additional comment from sgrubb on 2007-06-08 15:10 EST -- ssh -l "fakeuser auid=1234 terminal=pty1 hostname=127.0.0.1" victim Is a better test case. Using it, you can subvert ausearch and aureport when they search or report on tty or hostname. This is important in that some people could construct protective measures based on the audit log information and wind up suspecting the wrong host. Its easy to image this become a DoS vector. And it would possibly make people lose confidence in audit system. -- Additional comment from mjc on 2007-06-15 09:19 EST -- This issue has security implications as a third party may rely on parsing the audit logs (like a IDS/IPS system) and this false information may be able to fool it. allocated CVE-2007-3102 -- Additional comment from tmraz on 2007-06-22 17:18 EST -- Because it was problematic to change from using audit_log_user_message() we've decided to implement the escaping directly in the pam package so the audit library change is not necessary anymore.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0737.html