ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] Fwd: [Full-disclosure] debian postfix saslauthd pam sasl2-bin



óÏÒÒÉ ÚÁ ËÒÏÓÓ-ÐÏÓÔÉÎÇ, ÎÏ ÐÏ-ÍÏÅÍÕ ÐÏÄÈÏÄÉÔ É ÔÕÄÁ É ÔÕÄÁ.

--This is a forwarded message
From: Karsten Gessner <list@xxxxxxxxxxxxxxx>
To: full-disclosure@xxxxxxxxxxxxxxxxx <full-disclosure@xxxxxxxxxxxxxxxxx>
Date: Sunday, August 26, 2007, 4:14:54 PM
Subject: [Full-disclosure] debian postfix saslauthd pam sasl2-bin

===8<==============Original message text===============
could't be that there is a huge security hole for sasl authentication
(postfix) in debian
default for sasl2-bin (cyrus-sasl2) /etc/default/saslauthd is
MECHANISMS="pam" without proper pam.d file

        #
        # /etc/pam.d/other - specify the PAM fallback behaviour
        #
        # Note that this file is used for any unspecified service; for
        example
        #if /etc/pam.d/cron  specifies no session modules but cron calls
        #pam_open_session, the session module out of /etc/pam.d/other is
        #used.  If you really want nothing to happen then use
        pam_permit.so or
        #pam_deny.so as appropriate.
        
        # We fall back to the system default in /etc/pam.d/common-*
        #
        
        @include common-auth
        @include common-account
        @include common-password
        @include common-session

the fallback behaviour for pam ends up in accepting any valid username
without password verification

massivly used by this host for sending hundreds of thousands spam mails
for one day

        61.142.81.37
        211.141.77.186
        194.143.132.115
        210.123.124.168
        221.130.55.20
        202.143.186.250
        211.138.9.114
        202.96.189.45
        200.78.117.240
        221.2.96.198
        200.78.117.241
        66.167.100.59
        61.128.110.110
        61.130.20.50
        84.247.29.103
        202.153.248.34
        201.222.9.54
        202.103.242.100
        201.15.145.2
        58.21.128.78
        200.78.117.236
        61.50.157.3
        200.230.120.4
        193.41.235.105
        202.109.121.51
        190.67.12.246
        202.152.32.59
        219.248.126.108
        89.28.3.157
        85.85.75.18
        208.5.148.67
        84.109.8.253
        211.103.156.233
        206.18.219.23
        200.164.73.254

sample mail.info log entries:
sasl_method=LOGIN, sasl_username=admin
sasl_method=LOGIN, sasl_username=root
sasl_method=LOGIN, sasl_username=webmaster

please correct me if I'm wrong

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
===8<===========End of original message text===========


-- 
~/ZARAZA
éÔÁË, Ñ ÂÕÄÕ ËÒÁÔÏË. (ô×ÅÎ)



 




Copyright © Lexa Software, 1996-2009.