cmd5checkpw Qmail Remote Password Retrieval Vulnerability
BID:1809
Info
cmd5checkpw Qmail Remote Password Retrieval Vulnerability
| Bugtraq ID: | 1809 |
| Class: | Boundary Condition Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Oct 16 2000 12:00AM |
| Updated: | Oct 16 2000 12:00AM |
| Credit: | This vulnerability was reported to bugtraq by Javier Kohen <[email protected]> on Mon, 16 Oct 2000 |
| Vulnerable: |
Krzysztof Dabrowski cmd5checkpw 0.21 Krzysztof Dabrowski cmd5checkpw 0.20 |
| Not Vulnerable: |
Krzysztof Dabrowski cmd5checkpw 0.22 |
Discussion
cmd5checkpw Qmail Remote Password Retrieval Vulnerability
The authentication program cmd5checkpw can function as a plugin to qmail-smtpd-auth, a patch for qmail which supports the SMTP AUTH protocol.
Due to improper input validation and error trapping, supplying cmd5checkpw with a non-existent username will cause it to segfault. In turn, the qmail-smtpd-auth qmail patch incorrectly interprets this failure as a successful authentication. As a result, an attacker providing invalid input to cmd5checkpw can create a falsely-authenticated session, leaving the victim host open to receiving and forwarding mail from unauthenticated systems.
The authentication program cmd5checkpw can function as a plugin to qmail-smtpd-auth, a patch for qmail which supports the SMTP AUTH protocol.
Due to improper input validation and error trapping, supplying cmd5checkpw with a non-existent username will cause it to segfault. In turn, the qmail-smtpd-auth qmail patch incorrectly interprets this failure as a successful authentication. As a result, an attacker providing invalid input to cmd5checkpw can create a falsely-authenticated session, leaving the victim host open to receiving and forwarding mail from unauthenticated systems.
Exploit / POC
cmd5checkpw Qmail Remote Password Retrieval Vulnerability
Currently the SecurityFocus staff are not aware of any publicly available exploits for this vulnerability. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any publicly available exploits for this vulnerability. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
cmd5checkpw Qmail Remote Password Retrieval Vulnerability
Solution:
The author notes that "this vulnerability has been fixed in the latest 0.22 version of cmd5checkpw, available from http://members.elysium.pl/brush/cmd5checkpw/
the qmail-smtpd-auth patch is also fixed now. When the child crashes it returns propper error message now. Grab the latest version (0.26) from: http://members.elysium.pl/brush/qmail-smtpd-auth/
"
Solution:
The author notes that "this vulnerability has been fixed in the latest 0.22 version of cmd5checkpw, available from http://members.elysium.pl/brush/cmd5checkpw/
the qmail-smtpd-auth patch is also fixed now. When the child crashes it returns propper error message now. Grab the latest version (0.26) from: http://members.elysium.pl/brush/qmail-smtpd-auth/
"
References
cmd5checkpw Qmail Remote Password Retrieval Vulnerability
References:
References: