This was forwarded to me by our security officer. I believe the original
author, Florian Weimer, intended to reach this list but did not know how
to and instead went through his security contacts. Perhaps Florian's
concerns would best be addressed in MM 3.0 and maybe this should be
added to the MM 3.0 feature list. BTW, is there an independent MM 3.0
list? I thought I had heard such a beast existed, but my recollection is
hazy.
--
John Dennis <[EMAIL PROTECTED]>
--- Begin Message ---
Hi,
do you have a trusted contact to the Mailman developers? Their home
page doesn't seem to list a security contact, and the lead developer
appears to have changed (I'm not sure if Barry is still in charge).
Mailman 2.1.5 uses weak auto-generated passwords for new subscribers.
These passwords are assigned when members subscribe without specifying
their own password (either by email or the web frontend). Knowledge
of this password allows an attacker to gain access to the list archive
even though she's not a member and the archive is restricted to
members only. The idea of storing sensitive data in Mailman archives
seems to be a bit crazy, but unfortunately, it is common practice.
Here's the password generation algorithm:
_vowels = ('a', 'e', 'i', 'o', 'u')
_consonants = ('b', 'c', 'd', 'f', 'g', 'h', 'k', 'm', 'n',
'p', 'r', 's', 't', 'v', 'w', 'x', 'z')
_syllables = []
for v in _vowels:
for c in _consonants:
_syllables.append(c+v)
_syllables.append(v+c)
del c, v
def MakeRandomPassword(length=6):
syls = []
while len(syls) * 2 < length:
syls.append(random.choice(_syllables))
return EMPTYSTRING.join(syls)[:length]
This means that only about 5 million different passwords are ever
generated, a number that is in the range of brute force attacks -- you
only have to guess one subscriber address (which is usually not that
hard).
Closing this vulnerability requires three steps:
- Implement stronger password generation (easy because we may assume
that the system provides /dev/urandom, and we don't need extreme
performance).
Increasing the password length is not an option because as far as
I know, Python's random number generator is not cryptographically
secure. Simple brute force enumeration wouldn't work anymore, but
a more elaborate attack involving results of an analysis of the
random number generator might still be feasible.
- Provide site administrators with a Python script to reset all
passwords to autogenerated ones.
- Remove the password input fields from the web forms. These fields
are mostly present historical reasons. Mailman 2.1 offers a
challenge-response mechanism for the most important operations
(Mailman 2.0 only had password authentication).
This step is not really related to the vulnerability at hand, but
I think it's important not to encourage users to add their
password to the Mailman database (despite the fine print that
tells new members not to use a valuable password).
This vulnerability is currently NOT public. Credits for its discovery
belong to ZENDAS (I'm merely coordinating the disclosure). The
vulnerability was discovered during a penetration test and has
therefore been disclosed to people outside ZENDAS. However, I don't
think the vulnerability will hit a public mailing list soon (or leak
to the underground). I'm going to notify a very special closed
Mailman list in advance (whose admins and subscribers are
trustworthy).
Feel free to forward this message to trusted Mailman developers. It
would be helpful if you could provide a time estimate when most of you
have updated Mailman packages ready.
Florian
_______________________________________________
Vendor Security mailing list
Vendor [EMAIL PROTECTED]
https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
--- End Message ---
_______________________________________________
Mailman-Developers mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-developers
Unsubscribe:
http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org
