[30741] in bugtraq
possible open relay hole in qmail-smtpd-auth patch
daemon@ATHENA.MIT.EDU (John Simpson)
Tue Jul 15 14:12:19 2003
From: John Simpson <jms1@jms1.net>
To: smtpauth@list.elysium.pl, qmail@list.cr.yp.to, bugtraq@securityfocus.com
Date: Tue, 15 Jul 2003 12:36:05 -0400
In-Reply-To: <002b01c34add$6fc4c460$0200a8c0@pcdummy.net>
MIME-Version: 1.0
Content-Type: multipart/signed;
protocol="application/pgp-signature";
micalg=pgp-sha1;
boundary="Boundary-02=_61CF/fS8eBwGEmA";
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <200307151236.10505.jms1@jms1.net>
--Boundary-02=_61CF/fS8eBwGEmA
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline
the qmail-smtpd-auth patch is a commonly used patch to qmail which allows=20
the qmail-smtpd program to support the AUTH extension, by specifying a=20
"checkpassword" program on the command line. the homepage for the patch is:
http://members.elysium.pl/brush/qmail-smtpd-auth/
the patch modifies qmail-smtpd so that it can be called with three=20
command-line parameters: the local host name (used for generating CRAM-MD5=
=20
challenges), the checkpassword program itself, and a "dummy" program which=
=20
is run by the checkpassword program after a successful authentication.
the "dummy" program is needed because checkpassword programs are designed=20
for use in a POP3 or IMAP situation, where they would validate the user's=20
credentials and then run the actual POP3 or IMAP server program.
the current version of the SMTP-AUTH patch contains a serious bug which can=
=20
accidentally allow somebody who forgets one or more of the command line=20
parameters to start running an open relay by accident. it has been reported=
=20
in several places over the last week, including this message on the qmail=20
mailing list:
http://marc.theaimsgroup.com/?l=3Dqmail&m=3D105452174430616&w=3D2
if the user forgets the hostname parameter to qmail-smtpd and uses /bin/tru=
e=20
as the dummy program (/bin/true is the suggested dummy program), they will=
=20
actually be using /bin/true as the checkpassword program, which allows ANY=
=20
combination of userid and password to use your server as a relay.
i have written a revision to the qmail-smtpd-auth patch which compensates=20
for this common error by not supporting the AUTH command unless all three=20
command line arguments are present.
the version 0.31 patch does not correctly check for this- with a missing=20
command line argument, it ends up reading memory beyond the end of argv[],=
=20
which is NOT filled with zeros- on most *nix systems it's actually the=20
beginning of the environment block.
http://www.jms1.net/qmail/ has the modified "auth.patch" file available for=
=20
download.
the changes i've made (actually CHECKING argc instead of assuming there wil=
l=20
be something there) need to be incorporated into the qmail-smtpd-auth patch=
=20
as soon as possible. the author of the patch seems to have not touched it=20
since may 2002.
=2D-=20
=2D----------------------------------------------
| John Simpson - KG4ZOW - Programmer At Large |
| http://www.jms1.net/ <jms1@jms1.net> |
=2D----------------------------------------------
--Boundary-02=_61CF/fS8eBwGEmA
Content-Type: application/pgp-signature
Content-Description: signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQA/FC16EB9RczMG/PsRAjIbAKCSlYaV0RHp5FiPR7tr8TkPdqFwjgCghI6K
toVFSvpC/vrSVDADRX58N4o=
=/6Zb
-----END PGP SIGNATURE-----
--Boundary-02=_61CF/fS8eBwGEmA--
