Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 




      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] Fwd: [Full-disclosure] debian postfix saslauthd pam sasl2-bin

  -,  -     .

--This is a forwarded message
From: Karsten Gessner <list@xxxxxxxxxxxxxxx>
To: full-disclosure@xxxxxxxxxxxxxxxxx <full-disclosure@xxxxxxxxxxxxxxxxx>
Date: Sunday, August 26, 2007, 4:14:54 PM
Subject: [Full-disclosure] debian postfix saslauthd pam sasl2-bin

===8<==============Original message text===============
could't be that there is a huge security hole for sasl authentication
(postfix) in debian
default for sasl2-bin (cyrus-sasl2) /etc/default/saslauthd is
MECHANISMS="pam" without proper pam.d file

        # /etc/pam.d/other - specify the PAM fallback behaviour
        # Note that this file is used for any unspecified service; for
        #if /etc/pam.d/cron  specifies no session modules but cron calls
        #pam_open_session, the session module out of /etc/pam.d/other is
        #used.  If you really want nothing to happen then use
        pam_permit.so or
        #pam_deny.so as appropriate.
        # We fall back to the system default in /etc/pam.d/common-*
        @include common-auth
        @include common-account
        @include common-password
        @include common-session

the fallback behaviour for pam ends up in accepting any valid username
without password verification

massivly used by this host for sending hundreds of thousands spam mails
for one day

sample mail.info log entries:
sasl_method=LOGIN, sasl_username=admin
sasl_method=LOGIN, sasl_username=root
sasl_method=LOGIN, sasl_username=webmaster

please correct me if I'm wrong

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
===8<===========End of original message text===========

,   . ()


Copyright © Lexa Software, 1996-2009.