Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200501-22 ] poppassd_pam: Unauthorized password changing
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Moderator
Moderator


Joined: 13 Jun 2003
Posts: 4078
Location: Barcelona, Spain

PostPosted: Tue Jan 11, 2005 9:03 pm    Post subject: [ GLSA 200501-22 ] poppassd_pam: Unauthorized password chang Reply with quote

Gentoo Linux Security Advisory

Title: poppassd_pam: Unauthorized password changing (GLSA 200501-22)
Severity: high
Exploitable: remote
Date: January 11, 2005
Bug(s): #75820
ID: 200501-22

Synopsis

poppassd_pam allows anyone to change any user's password without authenticating the user first.

Background

poppassd_pam is a PAM-enabled server for changing system passwords that can be used to change POP server passwords.

Affected Packages

Package: net-mail/poppassd_ceti
Vulnerable: <= 1.0
Unaffected: >= 1.8.4
Architectures: All supported architectures

Package: net-mail/poppassd_pam
Vulnerable: <= 1.0
Architectures: All supported architectures


Description

Gentoo Linux developer Marcus Hanwell discovered that poppassd_pam did not check that the old password was valid before changing passwords. Our investigation revealed that poppassd_pam did not call pam_authenticate before calling pam_chauthtok.

Impact

A remote attacker could change the system password of any user, including root. This leads to a complete compromise of the POP accounts, and may also lead to a complete root compromise of the affected server, if it also provides shell access authenticated using system passwords.

Workaround

There is no known workaround at this time.

Resolution

All poppassd_pam users should migrate to the new package called poppassd_ceti:
Code:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-mail/poppassd_ceti-1.8.4"
Note: Portage will automatically replace the poppassd_pam package by the poppassd_ceti package.

References

CAN-2005-0002


Last edited by GLSA on Sun May 07, 2006 4:54 pm; edited 1 time in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum