Re: Authentication failure in cmd5checkpw 0.21

[Krzysztof Dabrowski <brush () POL PL>]

Hello.

I'm the author of both packages (cmd5checkpw and qmail-smtpd-auth).
First i would like to thank Javier for acting in a proffesional way (i've
got early warning, i've replaved the bugged cmd5checkpw and after a week he
sent information to Bugtraq).

If you are using the cmd5checkpw be sure to grab the latest 0.22 version from:

http://members.elysium.pl/brush/cmd5checkpw/

>Description:
>This program works as an authentication plug-in for a patch of the same aut=
>hor to add SMTP AUTH support to QMail. I found that if it was fed with a no=
>n-existing user name, it would segfault due to the lack of checking for the=
 >(imprabable?) reason of such an invalid input.

Guess what? Nobody has noticed it and a lot of people is using it for last
10 month.
Shame on me for this silly bug, but it was due to lack of good testing and
night coding sessions (we've been under spam-attack in that times).

> the consecuence of this problem; the caller -in this case the patched qmai=
l>-smtpd - would take its child crashing as a successful authentication, thu=
>s validating the session. This brings an open door for spam.

Yes, and it should be noted that this is the only consequence of this
exploit. No break in possible (AFAIK).

>Even though this utility was fixed, the vulnerability in the patch to qmail=
>-smtpd still remains, leaving the door opened to further bugs in the authen=
>ication plug-ins.

The qmail-smtpd-auth patch is also fixed now. When the child crashes it
returns propper error message now.

Grab the latest version (0.26) from:

http://members.elysium.pl/brush/qmail-smtpd-auth/

That's it.

Brush

p.s. any errors in qmail-smtpd-auth are only mine, and not Dan Bernstein's
(the original author of qmail). Please do not blame him or waste his time
e-mailing about this particular bug.