Date: Tue, 2 Apr 2002 11:06:27 +0100 (BST)
From: Simon Loader <simon@surf.org.uk>
To: bugtraq@securityfocus.com
Subject: SASL (v1/v2) MYSQL/LDAP authentication patch.
Cc: iberiozko@infodom.ru
Dear bugtraq
I dont know if this is valid for bugtraq but this patch
is downloaded about 100 times month (~10%).
Name: sasl auth patch for mysql and ldap
Systems Affected: All
Severity: High ?
Patch-Home-site: www.surf.org.uk
Description:
************
A security bug in the SASL auth PATCH against cyrus sasl 1.5.24 and
cyrus sasl 1.5.27 to provide authentication against MYSQL and LDAP (LDAP
side not effected) by iberiozko@infodom.ru. This would allow a any user via
POP to authenticate as anyone else via POP. The auxprop patch to SASL v2
is probably not vulnerable (has been patched anyway) This piece of
code was based on some code by David Matthew Zendzian DMZS.com (he
has had a fixed patch out for a while). It is also the code used in
FreeBSD ports when another auth mechanism is selected when install
cyrus sasl.
Detail:
*******
Email from аЕП╦ГЙН хБЮМ <iberiozko@infodom.ru> :
There is a bug in Cyrus SASL 1.5.27 LDAP+MYSQL auth patch (same with
previous
versions). You create a query string this way:
--------
sprintf(qbuf,QUERY_STRING,db_uidcol,db_table,db_uidcol,userid,db_pwcol,passw
ord);
--------
You do not escape userid and password, allowing an attacker to authenticate.
Look at my example (doing telnet to pop3 server using Cyrus-SASL + Mysql,
built with -DUSE_CRYPT_PASSWORD).
--------
USER somename
+OK Name is a valid mailbox
PASS ') OR 1=1 HAVING FLOOR(RAND()*100)=1 AND ('1'='1
+OK Maildrop locked and ready
LIST
--------
Supplying a password like "') OR 1=1 HAVING FLOOR(RAND()*100)=1 AND ('1'='1"
(without double quotes) will _sometimes_ allow authentication. If an
attacker knows internal database structure (column names, for example), he
will be able to authenticate at the first try.
Fix Information:
****************
There is a new release of the patch available from http://www.surf.org.uk/
and http://sourceforge.net/projects/cyrus-utils/. The code was originally
by DMZ of http://www.dmzs.com/~dmz/projects/cyrus/ but he has had a fix
up for about a year now.
The Auxprop patch for SASL V2 is probably not vulnerable (noting
if knowing the users password) but has been patches too.
Anything else:
**************
I am thinking of starting a mailing list for all the patches I
get for this patch and security things like this would anyone be
interested ?
Anything else you may care to know my be directed at me
simon@surf.org.uk.
--
Simon Loader
7 months unemployed and checking out card board boxes.
