Gentoo Logo

poppassd_pam: Unauthorized password changing

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200501-22 / poppassd_pam
Release Date January 11, 2005
Latest Revision January 11, 2005: 01
Impact high
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-mail/poppassd_ceti <= 1.0 >= 1.8.4 All supported architectures
net-mail/poppassd_pam <= 1.0 All supported architectures

Related bugreports: #75820

Synopsis

poppassd_pam allows anyone to change any user's password without authenticating the user first.

2.  Impact Information

Background

poppassd_pam is a PAM-enabled server for changing system passwords that can be used to change POP server passwords.

Description

Gentoo Linux developer Marcus Hanwell discovered that poppassd_pam did not check that the old password was valid before changing passwords. Our investigation revealed that poppassd_pam did not call pam_authenticate before calling pam_chauthtok.

Impact

A remote attacker could change the system password of any user, including root. This leads to a complete compromise of the POP accounts, and may also lead to a complete root compromise of the affected server, if it also provides shell access authenticated using system passwords.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All poppassd_pam users should migrate to the new package called poppassd_ceti:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-mail/poppassd_ceti-1.8.4"

Note: Portage will automatically replace the poppassd_pam package by the poppassd_ceti package.

4.  References



Print

Page updated January 11, 2005

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.