On Sat, May 22, 2004 at 09:51:13AM +0100, Matthew Byng-Maddick wrote:
> On Fri, May 21, 2004 at 10:30:25PM -0600, Dan Egli wrote:
> > login_cram:
> > driver = cram_md5
> > public_name = CRAM-MD5
> > server_secret = ${if saslauthd{{$1}{$2}}{1}{0}}
> > server_set_id = $1
>
> As I pointed out (to Marc Perkel) in:
> http://www.exim.org/pipermail/exim-users/Week-of-Mon-20040426/070670.html
> this is a major problem. Anyone who wants to relay through Dan's (and
> Marc's) server should log in with any username (eg. "myfakedupusername", but
> anything will work) and password "0", making sure they use the CRAM-MD5
> mechanism. You should then be authenticated, and you'll probably be able
> to relay as a result.
Quite. To be absolutely explicit, Dan, the problem with the CRAM-MD5
authenticator, the difference between it and the other two, is that the
password lookup returns its result to the server_secret parameter rather
than to the server_condition parameter.
If the username/password pair is invalid, then that string expansion
returns 0. If you set server_condition to 0, that forces an
authenticator to fail. If you set server_secret to 0, well, you're
telling Exim that the password for whichever id was passed in is 0.
0 is a perfectly legitimate password. So anybody can authenticate if
they present a nonexistent user id and a password of 0.
Given that a) this is a known danger of poorly configured Exim
authentication and b) someone wishing to abuse your mail service usually
starts out by finding out which MTA you are running, such an attack is
not as unlikely as you might think (not even taking into account the
fact that you've advertised your mistake on this list).
What you need to do for the CRAM-MD5 authenticator is force failure of
the expansion. That will then force the authenticator to fail.
--
Bruce
I unfortunately do not know how to turn cheese into gold.
