Vulnerability

    cmd5checkpw

Affected

    cmd5checkpw 0.21

Description

    Javier  Kohen  found   following.   This   program  works  as   an
    authentication plug-in for a patch of the same author to add  SMTP
    AUTH support to  QMail.  Javier  found that if  it was fed  with a
    non-existing  user  name,  it  would  segfault  due to the lack of
    checking for the  (imprabable?) reason of  such an invalid  input.
    The exploit here comes from  the consecuence of this problem;  the
    caller -in  this case  the patched  qmail-smtpd -  would take  its
    child  crashing  as  a  successful authentication, thus validating
    the session.   This brings  an open  door for  spam.   Even though
    this  utility  was  fixed,  the  vulnerability  in  the  patch  to
    qmail-smtpd  still  remains,  leaving  the  door opened to further
    bugs in the authentication plug-ins.

    Proof of concept:

        $ nc localhost smtp
        < 220 ns.foo.com.ar ESMTP
        > ehlo spammer.net
        < 250-ns.foo.com.ar
        < 250-AUTH=3DLOGIN CRAM-MD5 PLAIN
        < 250-AUTH LOGIN CRAM-MD5 PLAIN
        < 250-PIPELINING
        < 250 8BITMIME
        > auth plain
        < 334 ok. go on.
        > xyzzy<NUL>nopasswordneeded<NUL>
        < ??? ok.

Solution

    If you are using the cmd5checkpw  be sure to grab the latest  0.22
    version from:

        http://members.elysium.pl/brush/cmd5checkpw/

    The qmail-smtpd-auth  patch is  also fixed  now.   When the  child
    crashes it  returns propper  error message  now.   Grab the latest
    version (0.26) from:

        http://members.elysium.pl/brush/qmail-smtpd-auth/