Bugtraq mailing list archives
Authentication failure in cmd5checkpw 0.21
From: Javier Kohen <jkohen () TOUGH COM>
Date: Mon, 16 Oct 2000 23:18:21 -0300
Program: cmd5checkpw Vulnerable versions: 0.21 (probably earlier, too.) Fixed versions: 0.22 URI: http://freshmeat.net/projects/cmd5checkpw/ Author: Elysium deeZine <http://www.elysium.pl/> Description: This program works as an authentication plug-in for a patch of the same author to add SMTP AUTH support to QMail. I found that if it was fed with a non-existing user name, it would segfault due to the lack of checking for the (imprabable?) reason of such an invalid input. The exploit here comes from the consecuence of this problem; the caller -in this case the patched qmail-smtpd - would take its child crashing as a successful authentication, thus validating the session. This brings an open door for spam. Even though this utility was fixed, the vulnerability in the patch to qmail-smtpd still remains, leaving the door opened to further bugs in the authentication plug-ins. Proof of concept: $ nc localhost smtp < 220 ns.foo.com.ar ESMTP
ehlo spammer.net
< 250-ns.foo.com.ar < 250-AUTH=LOGIN CRAM-MD5 PLAIN < 250-AUTH LOGIN CRAM-MD5 PLAIN < 250-PIPELINING < 250 8BITMIME
auth plain
< 334 ok. go on.
xyzzy<NUL>nopasswordneeded<NUL>
< ??? ok. -- Javier Kohen <jkohen () tough com> ICQ #2361802 [blashyrkh] http://www.tough.com.ar/
Attachment:
_bin
Description:
Current thread:
- Authentication failure in cmd5checkpw 0.21 Javier Kohen (Oct 16)
- <Possible follow-ups>
- Re: Authentication failure in cmd5checkpw 0.21 Krzysztof Dabrowski (Oct 17)