lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <1188130494.5064.24.camel@acer.pcn.de>
Date: Sun, 26 Aug 2007 14:14:54 +0200
From: Karsten Gessner <list@...o.homeip.net>
To: full-disclosure@...ts.grok.org.uk
Cc: "debian-security-announce@...ts.debian.org"
	<debian-security-announce@...ts.debian.org>
Subject: debian postfix saslauthd pam sasl2-bin

could't be that there is a huge security hole for sasl authentication
(postfix) in debian
default for sasl2-bin (cyrus-sasl2) /etc/default/saslauthd is
MECHANISMS="pam" without proper pam.d file

        #
        # /etc/pam.d/other - specify the PAM fallback behaviour
        #
        # Note that this file is used for any unspecified service; for
        example
        #if /etc/pam.d/cron  specifies no session modules but cron calls
        #pam_open_session, the session module out of /etc/pam.d/other is
        #used.  If you really want nothing to happen then use
        pam_permit.so or
        #pam_deny.so as appropriate.
        
        # We fall back to the system default in /etc/pam.d/common-*
        #
        
        @include common-auth
        @include common-account
        @include common-password
        @include common-session

the fallback behaviour for pam ends up in accepting any valid username
without password verification

massivly used by this host for sending hundreds of thousands spam mails
for one day

        61.142.81.37
        211.141.77.186
        194.143.132.115
        210.123.124.168
        221.130.55.20
        202.143.186.250
        211.138.9.114
        202.96.189.45
        200.78.117.240
        221.2.96.198
        200.78.117.241
        66.167.100.59
        61.128.110.110
        61.130.20.50
        84.247.29.103
        202.153.248.34
        201.222.9.54
        202.103.242.100
        201.15.145.2
        58.21.128.78
        200.78.117.236
        61.50.157.3
        200.230.120.4
        193.41.235.105
        202.109.121.51
        190.67.12.246
        202.152.32.59
        219.248.126.108
        89.28.3.157
        85.85.75.18
        208.5.148.67
        84.109.8.253
        211.103.156.233
        206.18.219.23
        200.164.73.254

sample mail.info log entries:
sasl_method=LOGIN, sasl_username=admin
sasl_method=LOGIN, sasl_username=root
sasl_method=LOGIN, sasl_username=webmaster

please correct me if I'm wrong

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ