poppassd_pam: Unauthorized password changing

1. Gentoo Linux Security Advisory

Advisory Reference	GLSA 200501-22 / poppassd_pam
Release Date	January 11, 2005
Latest Revision	January 11, 2005: 01
Impact	high
Exploitable	remote

Package	Vulnerable versions	Unaffected versions	Architecture(s)
net-mail/poppassd_ceti	<= 1.0	>= 1.8.4	All supported architectures
net-mail/poppassd_pam	<= 1.0		All supported architectures

Related bugreports: #75820

Synopsis

poppassd_pam allows anyone to change any user's password without authenticating the user first.

2. Impact Information

Background

poppassd_pam is a PAM-enabled server for changing system passwords that can be used to change POP server passwords.

Description

Gentoo Linux developer Marcus Hanwell discovered that poppassd_pam did not check that the old password was valid before changing passwords. Our investigation revealed that poppassd_pam did not call pam_authenticate before calling pam_chauthtok.

Impact

A remote attacker could change the system password of any user, including root. This leads to a complete compromise of the POP accounts, and may also lead to a complete root compromise of the affected server, if it also provides shell access authenticated using system passwords.

3. Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All poppassd_pam users should migrate to the new package called poppassd_ceti:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-mail/poppassd_ceti-1.8.4"

Note: Portage will automatically replace the poppassd_pam package by the poppassd_ceti package.

4. References

CAN-2005-0002

Updated January 11, 2005

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.