[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1058357753.25107.0.camel@localhost>
From: gerd-fd-list at cerb.de (Gerd Feiner)
Subject: qmail-auth vulnerability
from john simpson on bugtraq:
the qmail-smtpd-auth patch is a commonly used patch to qmail which
allows
the qmail-smtpd program to support the AUTH extension, by specifying a
"checkpassword" program on the command line. the homepage for the patch is:
http://members.elysium.pl/brush/qmail-smtpd-auth/
the patch modifies qmail-smtpd so that it can be called with three
command-line parameters: the local host name (used for generating CRAM-MD5
challenges), the checkpassword program itself, and a "dummy" program which
is run by the checkpassword program after a successful authentication.
the "dummy" program is needed because checkpassword programs are designed
for use in a POP3 or IMAP situation, where they would validate the user's
credentials and then run the actual POP3 or IMAP server program.
the current version of the SMTP-AUTH patch contains a serious bug which can
accidentally allow somebody who forgets one or more of the command line
parameters to start running an open relay by accident. it has been reported
in several places over the last week, including this message on the qmail
mailing list:
http://marc.theaimsgroup.com/?l=qmail&m=105452174430616&w=2
if the user forgets the hostname parameter to qmail-smtpd and uses /bin/true
as the dummy program (/bin/true is the suggested dummy program), they will
actually be using /bin/true as the checkpassword program, which allows ANY
combination of userid and password to use your server as a relay.
i have written a revision to the qmail-smtpd-auth patch which compensates
for this common error by not supporting the AUTH command unless all three
command line arguments are present.
the version 0.31 patch does not correctly check for this- with a missing
command line argument, it ends up reading memory beyond the end of argv[],
which is NOT filled with zeros- on most *nix systems it's actually the
beginning of the environment block.
http://www.jms1.net/qmail/ has the modified "auth.patch" file available for
download.
the changes i've made (actually CHECKING argc instead of assuming there will
be something there) need to be incorporated into the qmail-smtpd-auth patch
as soon as possible. the author of the patch seems to have not touched it
since may 2002.
--
There are only 10 types of people in the world:
Those who understand binary and those who don't ...
GPG-Key at:
http://www.cerb.de/gerd/gpg-keys/pub.key
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030716/76756b8a/attachment.bin
Powered by blists - more mailing lists