| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: gerd-fd-list at cerb.de (Gerd Feiner) Subject: qmail-auth vulnerability from john simpson on bugtraq: the qmail-smtpd-auth patch is a commonly used patch to qmail which allows the qmail-smtpd program to support the AUTH extension, by specifying a "checkpassword" program on the command line. the homepage for the patch is: http://members.elysium.pl/brush/qmail-smtpd-auth/ the patch modifies qmail-smtpd so that it can be called with three command-line parameters: the local host name (used for generating CRAM-MD5 challenges), the checkpassword program itself, and a "dummy" program which is run by the checkpassword program after a successful authentication. the "dummy" program is needed because checkpassword programs are designed for use in a POP3 or IMAP situation, where they would validate the user's credentials and then run the actual POP3 or IMAP server program. the current version of the SMTP-AUTH patch contains a serious bug which can accidentally allow somebody who forgets one or more of the command line parameters to start running an open relay by accident. it has been reported in several places over the last week, including this message on the qmail mailing list: http://marc.theaimsgroup.com/?l=qmail&m=105452174430616&w=2 if the user forgets the hostname parameter to qmail-smtpd and uses /bin/true as the dummy program (/bin/true is the suggested dummy program), they will actually be using /bin/true as the checkpassword program, which allows ANY combination of userid and password to use your server as a relay. i have written a revision to the qmail-smtpd-auth patch which compensates for this common error by not supporting the AUTH command unless all three command line arguments are present. the version 0.31 patch does not correctly check for this- with a missing command line argument, it ends up reading memory beyond the end of argv[], which is NOT filled with zeros- on most *nix systems it's actually the beginning of the environment block. http://www.jms1.net/qmail/ has the modified "auth.patch" file available for download. the changes i've made (actually CHECKING argc instead of assuming there will be something there) need to be incorporated into the qmail-smtpd-auth patch as soon as possible. the author of the patch seems to have not touched it since may 2002. -- There are only 10 types of people in the world: Those who understand binary and those who don't ... GPG-Key at: http://www.cerb.de/gerd/gpg-keys/pub.key -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030716/76756b8a/attachment.bin
Powered by blists - more mailing lists