Fwd: debian postfix saslauthd pam sasl2-bin

Fabian Fagerholm fabbe at paniq.net
Mon Aug 27 07:36:29 UTC 2007 

Hello,

The message quoted below was sent to the pkg-cyrus-sasl2-debian-devel
mailing list. Unfortunately, I have absolutely no time right now to even
think through the validity of the report. If the report is correct, this
sounds like a serious security issue, which is why I'm sending this to
team at security.d.o. Apologies if it's not.

I'll be available for short comments or questions but do not expect
prompt replies before the end of October.

Cheers,
-- 
Fabian Fagerholm <fabbe at paniq.net>

On Sun, 2007-08-26 at 14:14 +0200, Karsten Gessner wrote:
> could't be that there is a huge security hole for sasl authentication
> (postfix) in debian
> default for sasl2-bin (cyrus-sasl2) /etc/default/saslauthd is
> MECHANISMS="pam" without proper pam.d file
> 
>         #
>         # /etc/pam.d/other - specify the PAM fallback behaviour
>         #
>         # Note that this file is used for any unspecified service; for
>         example
>         #if /etc/pam.d/cron  specifies no session modules but cron calls
>         #pam_open_session, the session module out of /etc/pam.d/other is
>         #used.  If you really want nothing to happen then use
>         pam_permit.so or
>         #pam_deny.so as appropriate.
>         
>         # We fall back to the system default in /etc/pam.d/common-*
>         #
>         
>         @include common-auth
>         @include common-account
>         @include common-password
>         @include common-session
> 
> the fallback behaviour for pam ends up in accepting any valid username
> without password verification
> 
> massivly used by this host for sending hundreds of thousands spam mails
> for one day
> 
>         61.142.81.37
>         211.141.77.186
>         194.143.132.115
>         210.123.124.168
>         221.130.55.20
>         202.143.186.250
>         211.138.9.114
>         202.96.189.45
>         200.78.117.240
>         221.2.96.198
>         200.78.117.241
>         66.167.100.59
>         61.128.110.110
>         61.130.20.50
>         84.247.29.103
>         202.153.248.34
>         201.222.9.54
>         202.103.242.100
>         201.15.145.2
>         58.21.128.78
>         200.78.117.236
>         61.50.157.3
>         200.230.120.4
>         193.41.235.105
>         202.109.121.51
>         190.67.12.246
>         202.152.32.59
>         219.248.126.108
>         89.28.3.157
>         85.85.75.18
>         208.5.148.67
>         84.109.8.253
>         211.103.156.233
>         206.18.219.23
>         200.164.73.254
> 
> sample mail.info log entries:
> sasl_method=LOGIN, sasl_username=admin
> sasl_method=LOGIN, sasl_username=root
> sasl_method=LOGIN, sasl_username=webmaster
> 
> please correct me if I'm wrong
> 
> _______________________________________________
> Pkg-cyrus-sasl2-debian-devel mailing list
> Pkg-cyrus-sasl2-debian-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-cyrus-sasl2-debian-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/pkg-cyrus-sasl2-debian-devel/attachments/20070827/ac0a1841/attachment.pgp

More information about the Pkg-cyrus-sasl2-debian-devel mailing list