lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030716115418.GA22934@ohse.de>
Date: Wed, 16 Jul 2003 11:54:18 +0000
From: Uwe Ohse <uwe@...e.de>
To: smtpauth@...t.elysium.pl, qmail@...t.cr.yp.to, bugtraq@...urityfocus.com
Subject: Re: possible open relay hole in qmail-smtpd-auth patch


On Tue, Jul 15, 2003 at 12:36:05PM -0400, John Simpson wrote:

> the current version of the SMTP-AUTH patch contains a serious bug which can 
> accidentally allow somebody who forgets one or more of the command line 
> parameters to start running an open relay by accident. it has been reported 
> in several places over the last week, including this message on the qmail 
> mailing list:

A possible configuration problem is NOT a reason to disallow legitimate
configurations or to enforce the use of useless dummy arguments, and 
unless you are going to invent some kind of artificial intelligence 
inside tools or installers using checkpassword i request that you 
stop this.


While the usual usage of checkpassword is something like this
  tcpserver host port prog1 [args] checkpassword prog2 [args]
there is no reason why one has to call it that way. One may replace
the part starting from "checkpassword" by a wrapper (this may be
especially handy to add logging, to try more than one checkpassword
style program or when one has to use different "tcpserver...prog1" 
combinations all sharing identical later commandline arguments -
i've seen this being used).
Cluttering the commandline with "dummy-argument-for-stupid-patches"
or whatever is not going to do any good, is not looking good, and 
does not add any security at all.


In fact, someone stupid enough to patch qmail without understanding
the patch and stupid enough to ignore vital parts of it's 
documentation (the examples, at least) is likely to be stupid 
enough to change the order of checkpassword and /bin/true, too.
Are you now going to patch /bin/true to bail out in case it finds
commandline arguments?


> http://www.jms1.net/qmail/ has the modified "auth.patch" file available for 
> download.

please? Are you seriously expecting that this:
+  if(argc > 2)                                                                 
+  {                                                                            
+    hostname = argv[1];                                                        
+    childargs = argv + 2;                                                      
+    useauth = 1;                                                               
+  }                                                                            
will work?

Hint: when called "qmail-smtpd HOST CHECKPASSWORD" argc will be 3. 
I'd call this a beginners mistake, but even beginners are supposed
to test their code.


> the changes i've made (actually CHECKING argc instead of assuming there will 
> be something there) need to be incorporated into the qmail-smtpd-auth patch 

i suggest you start "CHECKING" your code.

While i'm at it: Your qmail-1.03-jms1-antispam.patch not only violates
the SMTP protocol (replying OK when the mail will definitively not reach
the recipient) but does that in case of almost any programming or 
configuration problem in the filter chain, causing shell/filters to
exit with 1.
Why the heck did you change exit code 1 from "temporary problem,
try again later" to "throw away that mail"? Why do you actually 
run a smtp server if your mail is worthless?

Regards, Uwe


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ