[ GLSA 200501-22 ] poppassd_pam: Unauthorized password changing

[GLSA]

Gentoo Linux Security Advisory

Title: poppassd_pam: Unauthorized password changing (GLSA 200501-22)
Severity: high
Exploitable: remote
Date: January 11, 2005
Bug(s): #75820
ID: 200501-22

Synopsis

poppassd_pam allows anyone to change any user's password without authenticating the user first.

Background

poppassd_pam is a PAM-enabled server for changing system passwords that can be used to change POP server passwords.

Affected Packages

Package: net-mail/poppassd_ceti
Vulnerable: <= 1.0
Unaffected: >= 1.8.4
Architectures: All supported architectures

Package: net-mail/poppassd_pam
Vulnerable: <= 1.0
Architectures: All supported architectures


Description

Gentoo Linux developer Marcus Hanwell discovered that poppassd_pam did not check that the old password was valid before changing passwords. Our investigation revealed that poppassd_pam did not call pam_authenticate before calling pam_chauthtok.

Impact

A remote attacker could change the system password of any user, including root. This leads to a complete compromise of the POP accounts, and may also lead to a complete root compromise of the affected server, if it also provides shell access authenticated using system passwords.

Workaround

There is no known workaround at this time.

Resolution

All poppassd_pam users should migrate to the new package called poppassd_ceti: