pam authentication module does not call pam_acct_mgmt

Debian Bug report logs - #211920
pam authentication module does not call pam_acct_mgmt

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Patrick Cheong Shu Yang <shuyang@pop.jaring.my>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: courier-imap-ssl: allow login after pam_tally counter exceeded defined threshold

Date: Sun, 21 Sep 2003 16:31:31 +0800

Package: courier-imap-ssl
Version: unavailable; reported 2003-09-21
Severity: important
Tags: security



-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux gecko 2.4.20 #1 Sun Aug 17 14:55:05 MYT 2003 i686
Locale: LANG=C, LC_CTYPE=C

pam_tally allow logins even after the pre-defined threshold is exceeded;
and
pam_tally counter continues to increase upon successful login following
a failed login

Message #10 received at 211920@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>

To: Patrick Cheong Shu Yang <shuyang@pop.jaring.my>, 211920@bugs.debian.org

Subject: Re: Bug#211920: courier-imap-ssl: allow login after pam_tally counter exceeded defined threshold

Date: Sun, 21 Sep 2003 12:27:10 -0400

On Sun, Sep 21, 2003 at 04:31:31PM +0800, Patrick Cheong Shu Yang wrote:

> pam_tally allow logins even after the pre-defined threshold is exceeded;
> and pam_tally counter continues to increase upon successful login
> following a failed login

How is this a bug in courier-imap-ssl?

-- 
 - mdz

Message #15 received at 211920@bugs.debian.org (full text, mbox, reply):

From: Patrick Cheong Shu Yang <shuyang@pop.jaring.my>

To: Matt Zimmerman <mdz@debian.org>

Cc: 211920@bugs.debian.org

Subject: Re: Bug#211920: courier-imap-ssl: allow login after pam_tally counter exceeded defined threshold

Date: Mon, 22 Sep 2003 13:30:37 +0800

Because with SSH it works correctly as with uw-imap but with courier, it
does not. It would apprear as if courier does not honour the return
result from PAM and since it runs as root, it allows user login to
continue. 



Quoting Matt Zimmerman <mdz@debian.org>:

> On Sun, Sep 21, 2003 at 04:31:31PM +0800, Patrick Cheong Shu Yang
> wrote:
> 
> > pam_tally allow logins even after the pre-defined threshold is
> exceeded;
> > and pam_tally counter continues to increase upon successful login
> > following a failed login
> 
> How is this a bug in courier-imap-ssl?
> 
> -- 
>  - mdz
> 



----------------------------------------------------------------
This e-mail has been sent via JARING webmail at http://www.jaring.my

Message #20 received at 211920@bugs.debian.org (full text, mbox, reply):

From: David Härdeman <david@2gen.com>

To: 211920@bugs.debian.org

Cc: team@security.debian.org

Subject: Security bug (courier ignores pam failures) still present in sarge

Date: Tue, 25 Oct 2005 20:46:22 +0200

I am still seeing this problem in the version of courier included in 
sarge. Courier seems to happily ignore the result of the pam check and 
continue anyway (when using the pam_tally module).

I would suggest that this warrants the security tag and a security 
update as it allows a user to try to crack passwords with a brute-force 
approach even if countermeasures (i.e. pam-tally) is in place.

This bug should probably be reassigned to courier-authdaemon 
since I have the feeling that it is responsible for the pam 
conversation. See also bug 256231 for related pam problems.

Re,
David

Message #25 received at 211920@bugs.debian.org (full text, mbox, reply):

From: David Härdeman <david@2gen.com>

To: 211920@bugs.debian.org

Cc: team@security.debian.org

Subject: Solution found for bug #211920

Date: Thu, 27 Oct 2005 23:11:52 +0200

[Message part 1 (text/plain, inline)]

I've found the problem...

authlib/authpam.c doesn't call pam_acct_mgmt meaning that no check is 
performed if the user should actually be permitted access. This also 
means that the problem lies with courier-authdaemon rather than 
courier-imap(-ssl).

For an explanation of pam_acct_mgmt, see:
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl-3.html
"This function is typically called after the user has been 
authenticated. It establishes whether the user's account is healthy. 
That is to say, whether the user's account is still active and whether 
the user is permitted to gain access to the system at this time."

also the example app at:
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl-8.html

I've included a patch which fixes the problem by restoring the 
pam_acct_mgmt call. I've built courier-authdaemon with this patch 
applied and verified that it does indeed fix the problem and it seems to 
have no side effects.

I hope that a fixed version can be included in sarge as soon as possible 
since this could potentially be a security issue (e.g. if the account 
has been disabled, access would still be granted).

Re,
David Härdeman

[authpam.patch (text/plain, attachment)]

Message #30 received at 211920@bugs.debian.org (full text, mbox, reply):

From: Stefan Hornburg <racke@linuxia.de>

To: David Härdeman <david@2gen.com>, 211920@bugs.debian.org

Cc: racke@linuxia.de

Subject: Re: Bug#211920: Solution found for bug #211920

Date: Thu, 27 Oct 2005 23:27:04 +0200

On Thu, 27 Oct 2005 23:11:52 +0200
David Härdeman <david@2gen.com> wrote:

> I've found the problem...
> 
> authlib/authpam.c doesn't call pam_acct_mgmt meaning that no check is 
> performed if the user should actually be permitted access. This also 
> means that the problem lies with courier-authdaemon rather than 
> courier-imap(-ssl).
> 
> For an explanation of pam_acct_mgmt, see:
> http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl-3.html
> "This function is typically called after the user has been 
> authenticated. It establishes whether the user's account is healthy. 
> That is to say, whether the user's account is still active and whether 
> the user is permitted to gain access to the system at this time."
> 
> also the example app at:
> http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl-8.html
> 
> I've included a patch which fixes the problem by restoring the 
> pam_acct_mgmt call. I've built courier-authdaemon with this patch 
> applied and verified that it does indeed fix the problem and it seems to 
> have no side effects.

Thanks for your investigation and your patch. I'll contact upstream to get
a comment from him about this patch and simultaneously build a new version
of Courier with this patch included.

> 
> I hope that a fixed version can be included in sarge as soon as possible 
> since this could potentially be a security issue (e.g. if the account 
> has been disabled, access would still be granted).
> 

Please contact the security team about this matter.

With regards

	Racke


-- 
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team

Message #41 received at 211920@bugs.debian.org (full text, mbox, reply):

From: Stefan Hornburg <racke@linuxia.de>

To: David Härdeman <david@2gen.com>

Cc: racke@linuxia.de

Subject: Re: Bug#211920: Solution found for bug #211920

Date: Fri, 28 Oct 2005 00:45:02 +0200

On Thu, 27 Oct 2005 23:36:49 +0200
David Härdeman <david@2gen.com> wrote:

> On Thu, Oct 27, 2005 at 11:27:04PM +0200, Stefan Hornburg wrote:
> >On Thu, 27 Oct 2005 23:11:52 +0200 David Härdeman <david@2gen.com> wrote:
> >> I hope that a fixed version can be included in sarge as soon as possible 
> >> since this could potentially be a security issue (e.g. if the account 
> >> has been disabled, access would still be granted).
> >
> >Please contact the security team about this matter.
> 
> Yep, I cc:ed them in the mail so I'll wait and see what they decide.

FYI: I found a message from upstream author Sam Varshavchik about the reason
why he disabled this call in the courier-imap mailing list:

--snip--
Aman Gupta writes:
> I am trying to figure out why the pam_acct_mgmt() function call was
> commented out 4 years ago in this cvs update:
> http://cvs.sourceforge.net/viewcvs.py/courier/libs/authlib/authpam.c?...

It appears that the reason is memory leaks in PAM.

> If possible, please uncomment this code so that pam account modules can
> be used to control access based on time, date, group membership, etc.

Can't you uncomment it yourself, and see what happens? 
--snap--

So I suppose it is safe to enable this call.

Bye
	Racke


-- 
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team

Message #46 received at 211920-close@bugs.debian.org (full text, mbox, reply):

From: Stefan Hornburg (Racke) <racke@linuxia.de>

To: 211920-close@bugs.debian.org

Subject: Bug#211920: fixed in courier 0.47-12

Date: Thu, 10 Nov 2005 08:02:09 -0800

Source: courier
Source-Version: 0.47-12

We believe that the bug you reported is fixed in the latest version of
courier, which is due to be installed in the Debian FTP archive:

courier-authdaemon_0.47-12_i386.deb
  to pool/main/c/courier/courier-authdaemon_0.47-12_i386.deb
courier-authmysql_0.47-12_i386.deb
  to pool/main/c/courier/courier-authmysql_0.47-12_i386.deb
courier-authpostgresql_0.47-12_i386.deb
  to pool/main/c/courier/courier-authpostgresql_0.47-12_i386.deb
courier-base_0.47-12_i386.deb
  to pool/main/c/courier/courier-base_0.47-12_i386.deb
courier-doc_0.47-12_all.deb
  to pool/main/c/courier/courier-doc_0.47-12_all.deb
courier-faxmail_0.47-12_i386.deb
  to pool/main/c/courier/courier-faxmail_0.47-12_i386.deb
courier-imap-ssl_3.0.8-12_i386.deb
  to pool/main/c/courier/courier-imap-ssl_3.0.8-12_i386.deb
courier-imap_3.0.8-12_i386.deb
  to pool/main/c/courier/courier-imap_3.0.8-12_i386.deb
courier-ldap_0.47-12_i386.deb
  to pool/main/c/courier/courier-ldap_0.47-12_i386.deb
courier-maildrop_0.47-12_i386.deb
  to pool/main/c/courier/courier-maildrop_0.47-12_i386.deb
courier-mlm_0.47-12_i386.deb
  to pool/main/c/courier/courier-mlm_0.47-12_i386.deb
courier-mta-ssl_0.47-12_i386.deb
  to pool/main/c/courier/courier-mta-ssl_0.47-12_i386.deb
courier-mta_0.47-12_i386.deb
  to pool/main/c/courier/courier-mta_0.47-12_i386.deb
courier-pcp_0.47-12_i386.deb
  to pool/main/c/courier/courier-pcp_0.47-12_i386.deb
courier-pop-ssl_0.47-12_i386.deb
  to pool/main/c/courier/courier-pop-ssl_0.47-12_i386.deb
courier-pop_0.47-12_i386.deb
  to pool/main/c/courier/courier-pop_0.47-12_i386.deb
courier-ssl_0.47-12_i386.deb
  to pool/main/c/courier/courier-ssl_0.47-12_i386.deb
courier-webadmin_0.47-12_i386.deb
  to pool/main/c/courier/courier-webadmin_0.47-12_i386.deb
courier_0.47-12.diff.gz
  to pool/main/c/courier/courier_0.47-12.diff.gz
courier_0.47-12.dsc
  to pool/main/c/courier/courier_0.47-12.dsc
sqwebmail_0.47-12_i386.deb
  to pool/main/c/courier/sqwebmail_0.47-12_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 211920@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Hornburg (Racke) <racke@linuxia.de> (supplier of updated courier package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 27 Oct 2005 23:35:25 +0200
Source: courier
Binary: courier-authpostgresql courier-ldap courier-faxmail courier-pcp courier-authmysql courier-imap courier-authdaemon courier-base sqwebmail courier-ssl courier-pop courier-mta courier-webadmin courier-imap-ssl courier-doc courier-mlm courier-maildrop courier-mta-ssl courier-pop-ssl
Architecture: source i386 all
Version: 0.47-12
Distribution: unstable
Urgency: low
Maintainer: Stefan Hornburg (Racke) <racke@linuxia.de>
Changed-By: Stefan Hornburg (Racke) <racke@linuxia.de>
Description: 
 courier-authdaemon - Courier Mail Server - Authentication daemon
 courier-authmysql - Courier Mail Server - MySQL authentication
 courier-authpostgresql - Courier Mail Server - PostgreSQL Authentication
 courier-base - Courier Mail Server - Base system
 courier-doc - Courier Mail Server - Additional documentation
 courier-faxmail - Courier Mail Server - Faxmail gateway
 courier-imap - Courier Mail Server - IMAP server
 courier-imap-ssl - Courier Mail Server - IMAP over SSL
 courier-ldap - Courier Mail Server - LDAP support
 courier-maildrop - Courier Mail Server - Mail delivery agent
 courier-mlm - Courier Mail Server - Mailing list manager
 courier-mta - Courier Mail Server - ESMTP daemon
 courier-mta-ssl - Courier Mail Server - ESMTP over SSL
 courier-pcp - Courier Mail Server - PCP server
 courier-pop - Courier Mail Server - POP3 server
 courier-pop-ssl - Courier Mail Server - POP3 over SSL
 courier-ssl - Courier Mail Server - SSL/TLS Support
 courier-webadmin - Courier Mail Server - Web-based administration frontend
 sqwebmail  - Courier Mail Server - Webmail server
Closes: 211920
Changes: 
 courier (0.47-12) unstable; urgency=low
 .
   * restoring call to pam_acct_mgmt (Closes: #211920, thanks to Patrick
     Cheong Shu Yang <shuyang@pop.jaring.my> for the report and David
     Härdeman <david@2gen.com> for the patch)
Files: 
 751a5aa61fd05e6eb1fedfa70e153304 1207 mail optional courier_0.47-12.dsc
 f01e90bff9938618180eef5dd5d93dc8 103794 mail optional courier_0.47-12.diff.gz
 2631cd65d8522490ebb060a6abc247e2 369166 doc optional courier-doc_0.47-12_all.deb
 f44291e4b7eb031a4a7c15a29d60c14d 234606 mail optional courier-base_0.47-12_i386.deb
 f211f08d1c2e5d21fb4a0ef984058e69 932244 mail optional courier-maildrop_0.47-12_i386.deb
 3a7ef3dbb4fb0d432e118747064b03b3 109700 mail optional courier-mlm_0.47-12_i386.deb
 ada783f655bb384ebf33d8ef0d750850 2077754 mail extra courier-mta_0.47-12_i386.deb
 1d9b8bbb80518ba47e17312e6d50922a 29294 mail optional courier-faxmail_0.47-12_i386.deb
 1c4488fe3b1cc219aa11c853e0a504a7 36576 mail optional courier-webadmin_0.47-12_i386.deb
 9aaf4c9c94f5c05ca139c3e5a2e91d98 781320 mail optional sqwebmail_0.47-12_i386.deb
 c9557d45761e52e040e15d4267570233 61140 mail optional courier-pcp_0.47-12_i386.deb
 1b99bcb0f2077619477df179474f7868 417852 mail extra courier-pop_0.47-12_i386.deb
 54b390b3b51593a7eb03ba3625eea500 67070 mail optional courier-ldap_0.47-12_i386.deb
 44d12990ec2a3e4ebfe7f6acc28b6a72 56104 mail optional courier-authdaemon_0.47-12_i386.deb
 e2eaa29870eb602a97f4f5b9a7267e59 52348 mail optional courier-authmysql_0.47-12_i386.deb
 7ac65a820246edbf1b860d4af2ab7bd0 193100 mail optional courier-ssl_0.47-12_i386.deb
 e7a89bece11a083ec4ad2cfbee20f89d 19798 mail extra courier-mta-ssl_0.47-12_i386.deb
 fe455ee5a5a7f610913d37084f3c92b9 21296 mail optional courier-pop-ssl_0.47-12_i386.deb
 85f5815813c5f1871253aa15ed0447c3 52400 mail optional courier-authpostgresql_0.47-12_i386.deb
 c013966ecacf75809fe43a6e649ef56c 939692 mail extra courier-imap_3.0.8-12_i386.deb
 26deb8804ab0316dd57a9899771f94e2 21518 mail extra courier-imap-ssl_3.0.8-12_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDc0PUjgVfE5tya3ERAiY8AJ9XCF30479BXZ+Pz0AAotkG+T5vZQCgwkc4
pF/yO6GZLmK/BYe7J6EhMtg=
=E3e9
-----END PGP SIGNATURE-----

Message #51 received at 211920@bugs.debian.org (full text, mbox, reply):

From: Stefan Hornburg <racke@linuxia.de>

To: Matt Zimmerman <mdz@debian.org>, team@security.debian.org, 211920@bugs.debian.org

Subject: Re: Bug#211920: courier-imap-ssl: allow login after pam_tally counter exceeded defined threshold

Date: Fri, 11 Nov 2005 10:14:53 +0100

Matt Zimmerman wrote:
> On Sun, Sep 21, 2003 at 04:31:31PM +0800, Patrick Cheong Shu Yang wrote:
> 
> 
>>pam_tally allow logins even after the pre-defined threshold is exceeded;
>>and pam_tally counter continues to increase upon successful login
>>following a failed login
> 
> 
> How is this a bug in courier-imap-ssl?
> 

It is, courier-authdaemon didn't call pam_acct_mgmt. Does this warrant
a security update ?

Bye
	Racke

Message #56 received at 211920@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>

To: Stefan Hornburg <racke@linuxia.de>

Cc: Matt Zimmerman <mdz@debian.org>, team@security.debian.org, 211920@bugs.debian.org

Subject: Re: Bug#211920: courier-imap-ssl: allow login after pam_tally counter exceeded defined threshold

Date: Sun, 20 Nov 2005 11:18:31 +0100

Stefan Hornburg wrote:
> >>pam_tally allow logins even after the pre-defined threshold is exceeded;
> >>and pam_tally counter continues to increase upon successful login
> >>following a failed login
> >
> >How is this a bug in courier-imap-ssl?
> >
> 
> It is, courier-authdaemon didn't call pam_acct_mgmt. Does this warrant
> a security update ?

After reading the entire bug log, I guess so.  I've assigned CVE-2005-3532,
please mention it in the changelog when you're doing the next upload.

Regards,

	Joey

-- 
Life is a lot easier when you have someone to share it with.  -- Sean Perry

Please always Cc to me when replying to me on the lists.

Message #61 received at 211920@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>

To: David Härdeman <david@2gen.com>

Cc: 211920@bugs.debian.org, team@security.debian.org

Subject: Re: Security bug (courier ignores pam failures) still present in sarge

Date: Sun, 20 Nov 2005 13:34:39 +0100

David Härdeman wrote:
> I am still seeing this problem in the version of courier included in 
> sarge. Courier seems to happily ignore the result of the pam check and 
> continue anyway (when using the pam_tally module).
> 
> I would suggest that this warrants the security tag and a security 
> update as it allows a user to try to crack passwords with a brute-force 
> approach even if countermeasures (i.e. pam-tally) is in place.
> 
> This bug should probably be reassigned to courier-authdaemon 
> since I have the feeling that it is responsible for the pam 
> conversation. See also bug 256231 for related pam problems.

I'm building updated packages now and have assigned CVE-2005-3532 to
this problem.  Thanks a lot for the patch.

Regards,

	Joey

-- 
Life is a lot easier when you have someone to share it with.  -- Sean Perry

Please always Cc to me when replying to me on the lists.

Send a report that this bug log contains spam.