Author: JT Smith
At Help Net Security, contributor Charles Chear compared two sessions with Qpopper on his Red Hat Linux 7.x box, and uncovered a security issue that occurs with PAM integration: “If you take a look carefully between the two sessions, both give different auth fail
responses. Using this, you can brute force and verify an account exists or not. The
problem, I’m assuming, is the intrusion of pam.d in the whole authentication process.I
also tested this on an FreeBSD 4.3 box with qpopper 4.0.3. There, the same fail
response was given whether or not the username really did exist. I’ve also tested an
install of qpopper on Redhat straight from a tarball that compiled without PAM
support. It responded securely and as it should.. with the same response whether or
not the account really exists.”
responses. Using this, you can brute force and verify an account exists or not. The
problem, I’m assuming, is the intrusion of pam.d in the whole authentication process.I
also tested this on an FreeBSD 4.3 box with qpopper 4.0.3. There, the same fail
response was given whether or not the username really did exist. I’ve also tested an
install of qpopper on Redhat straight from a tarball that compiled without PAM
support. It responded securely and as it should.. with the same response whether or
not the account really exists.”
Category:
- Linux
