LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

uw-imap: authentication bypass

Package(s):uw-imap imap CVE #(s):CAN-2005-0198
Created:February 2, 2005 Updated:March 1, 2005
Description: The uw-imap package, prior to version 2004b, contains a vulnerability which can enable a remote attacker to bypass the authentication mechanism. This bug only affects CRAM-MD5 authentication, which is not enabled on all distributions.
Alerts:
SuSE SUSE-SA:2005:012 2005-03-01
Red Hat RHSA-2005:128-01 2005-02-23
Mandrake MDKSA-2005:026 2005-02-01
Gentoo 200502-02 2005-02-02
(Log in to post comments)

uw-imap: authentication bypass

Posted Feb 3, 2005 6:29 UTC (Thu) by bradfitz (subscriber, #4378) [Link]

See the bug?

-static int md5try = 3;
+static int md5try = MAXLOGINTRIALS;

char *auth_md5_server (authresponse_t responder,int argc,char *argv[])
{
@@ -153,7 +153,7 @@
/* get password */
if (p = auth_md5_pwd ((authuser && *authuser) ? authuser : user)) {
pl = strlen (p);
- u = (md5try && strcmp (hash,hmac_md5 (chal,cl,p,pl))) ? NIL : user;
+ u = (md5try && !strcmp (hash,hmac_md5 (chal,cl,p,pl))) ? user : NIL;
memset (p,0,pl); /* erase sensitive information */
fs_give ((void **) &p); /* flush erased password */
/* now log in for real */
...
if(...) {
md5try--
}

Before the logic looks like:

If (you have login attempts remaining AND your password is wrong), THEN treat as no user, ELSE load your user.

So the way you beat it was by using up all your login attempts, and then the last one would work.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds