I'd like to comment on the advisory posted below. First of all, this issue is as old as databases and programs that interface with them automatically. Changes to file and library permissions fixes any problems people might have with this as stated in my advisory about valias. The point in my advisory, which the author of this advisory clearly missed, was that binaries/libraries with permissions fixes on what he has stated below, were still vulnerable due to an internal error with vpopmail. I'll restate my advisory briefly here. vauth_getall() does not require authentication of any kind. vauth_getall() loads a db connection in memory, which means, if I cause a segfault while using vauth_getall() (on most systems) I can look at the contents of the core file and read the database password. If they have valias enabled, I can insert information into the valias tables and come up with a SUID vpopmail shell, which can be used from there to gain root priveleges in various ways (trojans, etc). Thats all, folks. :) Forwarded message: > -----BEGIN PGP SIGNED MESSAGE----- > > - --------------------------------------------------------------------- > BUZ.CH Security Advisory 20010831: Inter7 vpopmail > - --------------------------------------------------------------------- > Subject: local password problem in vpopmail when installed with > MySQL module and all programs linked against > libvpopmail.a > Written by: Gabriel Ambuehl <[EMAIL PROTECTED]> > Impact: - MySQL authentication data can get stolen which means > that all the data the respective user has access to > is in danger. > - Probably remote command execution under the vpopmail > user (untested). > Affected: All vpopmail =< 4.10.35 Setups using MySQL > NOT affected: vpopmail setups without DB based authentication > Credits: Inter7 (earlier advisory on < vpopmail-4.10.34, see > below for details) > - --------------------------------------------------------------------- > > I first want to say that Ken Jones of Inter7 was really responsive > when I reported the bug and that they fixed the vulnerability fast. > I also want to say that vpopmail really does a great job! > > 1. Introduction > - --------------- > Some days ago, Inter7 released a security advisory concerning > passwords saved in libvpopmail.a cause they feared people could link > against that lib with code that segfaults to steal the authentication > data out of the core dump file and thus made the file chmod 400 so > that > only root has access to the compiled passwords. While this fixes this > particular vulnerability, it really only fixes one particular > problem with libvpopmail.a. > > > 2. Description of the Problem > - ----------------------------- > As pointed out above, the passwords to the MySQL server get compiled > into libvpopmail.a which is where they belong for various reasons, > which basically means that one can get them out of there rather > easily (a short description for FreeBSD 4.3/gcc 2.95.2 is below). > Now since all the command line utilities link against libvpopmail.a, > they all contain the passwords too. This means that there's > absolutely no need to write some code that will segfault as all > binaries are chmod 755 which means that every user can read their > contents, including the passwords. > > > 3. Principal attack > - ------------------- > On FreeBSD 4.3/gcc 2.95.2 and vpopmail-4.10.35/4.10 (first one is the > development snapshot) the username and password is saved in the same > line as the error message > could not connect to mysql > All you have to do now is to open the file in a text editor, search > for the string and grab the passwords a few bytes earlier. You now > can > connect to the DB server and do whatever you like with the data you > gained access to. > (the following paragraph is based on assumptions, as we don't run the > mysql module ourselves) In some versions, this probably involves > access > to forwards which means that you could be able to spawn an arbitrary > executable under the uid vpopmail runs (normally vpopmail, which > means that all the email data is in danger, but when the multi > Unix user scheme is used root, i.e. complete control of the system). > > > 4. Background > - ------------- > It's widely known that saving DB passwords anywhere on the system > causes a big risk that they will be stolen but there isn't any other > solution for daemons to work with databases as it is obviously > impossible to run them interactively typing the password every time > they are used. There ain't any real solution against this for > interpreted code, but for binaries one can at least remove the r bits > from the permissions to prevent users stealing the passwords out of > the binaries. We suspect that there are many other programs out there > that suffer of the same problem. > > > 5. Solution > - ----------- > Run > # chmod 711 ~vpopmail/bin/* > # chmod 400 ~vpopmail/lib/* > (substitute the second argument with the directory vpopmail is > located > on your system, if needed). Or install the latest vpopmail release, > where the binaries are installed this way from begin with. > Another approach would be to run qmail/vpopmail on a dedicated server > without any users despite root but we understand that this isn't an > option in many environments. > > > 6. Final comments > - ----------------- > With the increasing dependance on DBMS (not just MySQL) for more and > more tools which potentially could do a lot a of damage to the system > given the DBMS data is altered in a malicious way, it of course > becomes > increasingly important that the DBMS is secure. > > > > > > > > > - --------------------------------------------------------------------- > Copyright (c) 2001 BUZ.CH, permission for archival and reproduction > is hereby granted, provided that this copyright modification remains > intact and that any modifications are clearly marked so. > - --------------------------------------------------------------------- > > > Ken: change line 111 of makefile.am for vpopmail-4.10.35 > chmod 111 $(DESTDIR)@vpopmaildir@/bin > and line 86 for 4.9.10 to > chmod 711 $(DESTDIR)@vpopmaildir@/bin/* > chmod 600 $(DESTDIR)@vpopmaildir@/lib/* > > > Best regards, > Gabriel > \�1\�1 > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5i > > iQEVAwUBO4+SKsZa2WpymlDxAQF+GQf/Xbobzr10iFvQM6PrO1vFKX8JWQcF1F/7 > /IMIPpO3lc/SvsVyQ9J7OMp14fLpm9pHTE9RJYBnJ3wzvCQOips71TL8g0tqPEDO > o2Qtp2X09j6GBXFaguYu6JUMme8LtaoZ+G+2JP9rs+vUemtydd7m6Arb86WvJ1pj > E3vLaC2NptW3foBSu0IQO2Y5jHQNMfvE9MBaBeNyHqepM+dJOhp5EgHJ/AhnoaKH > HWUD7SAtO7UvORlJR8/aTySIPolrfZupfKtKDv/NiaqBbOWO4AaM7wjbdDCsg2d2 > 7AUtkmUDLCbvDVW3ahU2Yqsk/iESyNMGTC8sVZObWOPjmXCEecEE4A== > =iHkq > -----END PGP SIGNATURE----- -- [EMAIL PROTECTED] Inter7 Internet Technologies, Inc. www.inter7.coom - 847-492-0470 Prices at http://www.inter7.com/prices
