Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps N-Z :: pam8~1.htm

Qpopper and pam.d account existence brutable



COMMAND

    pam.d

SYSTEMS AFFECTED

    qpopper and pam.d

PROBLEM

    Charles Chear found following.  Take a look at the two sessions he
    had with Qpopper on a Redhat Linux 7.x box from an RPM package  of
    version 4.0.1.

        Existing account:
        =================
        [root@bart /etc]# telnet 10.10.10.1 110
        Trying 10.10.10.1...
        Connected to 10.10.10.1.
        Escape character is '^]'.
        +OK ready  <22975.998689264@target.host>
        user validuser
        +OK Password required for validuser.
        pass valid
        -ERR [AUTH] PAM authentication failed for user "validuser": Authentication
        failure (7)
        +OK Pop server at target.host signing off.
        Connection closed by foreign host.
        
        
        Non-existent account:
        =====================
        [root@bart /etc]# telnet 10.10.10.1 110
        Trying 10.10.10.1...
        Connected to 10.10.10.1.
        Escape character is '^]'.
        +OK ready  <22984.998689464@target.host>
        user fakeuser
        +OK Password required for fakeuser.
        pass fakeeeee
        -ERR [AUTH] Password supplied for "fakeuser" is incorrect.
        +OK Pop server at target.host signing off.
        Connection closed by foreign host.

    If you take a look  carefully between the two sessions,  both give
    different auth fail  responses.  Using  this, you can  brute force
    and verify an account exists or not.  The problem is the intrusion
    of pam.d in the whole authentication process.  Charles also tested
    this on an FreeBSD  4.3 box with qpopper  4.0.3.  There, the  same
    fail response  was given  whether or  not the  username really did
    exist.

    Charles also tested an install of qpopper on Redhat straight  from
    a tarball that compiled without PAM support. It responded securely
    and  as  it  should..  with  the  same response whether or not the
    account really exists.

SOLUTION

    For  those  interested,  the  following  patch makes the behaviour
    more 'expected':

    --- popper/pop_pass.c.orig Sat Aug 25 19:05:41 2001
    +++ popper/pop_pass.c Sat Aug 25 19:06:58 2001
    @@ -368,7 +368,7 @@
      */
     static int   gp_errcode   = 0;
     static char *GP_ERRSTRING =
    -            "[AUTH] PAM authentication failed for user \"%.100s\": %.128s (%d)";
    +            "[AUTH] Password supplied for \"%.100s\" is incorrect.";
    
     static int
     PAM_qpopper_conv ( int                        num_msg,


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH