COMMAND
pam.d
SYSTEMS AFFECTED
qpopper and pam.d
PROBLEM
Charles Chear found following. Take a look at the two sessions he
had with Qpopper on a Redhat Linux 7.x box from an RPM package of
version 4.0.1.
Existing account:
=================
[root@bart /etc]# telnet 10.10.10.1 110
Trying 10.10.10.1...
Connected to 10.10.10.1.
Escape character is '^]'.
+OK ready <22975.998689264@target.host>
user validuser
+OK Password required for validuser.
pass valid
-ERR [AUTH] PAM authentication failed for user "validuser": Authentication
failure (7)
+OK Pop server at target.host signing off.
Connection closed by foreign host.
Non-existent account:
=====================
[root@bart /etc]# telnet 10.10.10.1 110
Trying 10.10.10.1...
Connected to 10.10.10.1.
Escape character is '^]'.
+OK ready <22984.998689464@target.host>
user fakeuser
+OK Password required for fakeuser.
pass fakeeeee
-ERR [AUTH] Password supplied for "fakeuser" is incorrect.
+OK Pop server at target.host signing off.
Connection closed by foreign host.
If you take a look carefully between the two sessions, both give
different auth fail responses. Using this, you can brute force
and verify an account exists or not. The problem is the intrusion
of pam.d in the whole authentication process. Charles also tested
this on an FreeBSD 4.3 box with qpopper 4.0.3. There, the same
fail response was given whether or not the username really did
exist.
Charles also tested an install of qpopper on Redhat straight from
a tarball that compiled without PAM support. It responded securely
and as it should.. with the same response whether or not the
account really exists.
SOLUTION
For those interested, the following patch makes the behaviour
more 'expected':
--- popper/pop_pass.c.orig Sat Aug 25 19:05:41 2001
+++ popper/pop_pass.c Sat Aug 25 19:06:58 2001
@@ -368,7 +368,7 @@
*/
static int gp_errcode = 0;
static char *GP_ERRSTRING =
- "[AUTH] PAM authentication failed for user \"%.100s\": %.128s (%d)";
+ "[AUTH] Password supplied for \"%.100s\" is incorrect.";
static int
PAM_qpopper_conv ( int num_msg,