On Fri, Jan 04, 2008 at 07:13:54PM +0100, Luk Claes wrote:
> >>
> >> CVE-2007-2165[0]:
> >> | The Auth API in ProFTPD before 20070417, when multiple simultaneous
> >> | authentication modules are configured, does not require that the
> >> | module that checks authentication is the same as the module that
> >> | retrieves authentication data, which might allow remote attackers to
> >> | bypass authentication, as demonstrated by use of SQLAuthTypes
> >> | Plaintext in mod_sql, with data retrieved from /etc/passwd.
> >>
> >>
[...]
> >
> > Yes, indeed I pointed that months ago to secteam without so much
> > interest due to the nature of the issue I think. I can prepare
> > a new version for a point release anyway starting from 1.2.10-22,
> > and limiting the changes to a specific patch. Maybe I should have
> > a sec update of the time somewhere, too...
>
> Please send a diff. Thanks already.
>
> Cheers
>
> Luk
>
>
Here you are.
--
Francesco P. Lovergine
diff -urN proftpd-dfsg-1.3.0/debian/changelog 1.3.0-19etch1/debian/changelog
--- proftpd-dfsg-1.3.0/debian/changelog 2008-01-15 12:10:39.000000000 +0100
+++ 1.3.0-19etch1/debian/changelog 2008-01-15 11:55:24.000000000 +0100
@@ -1,3 +1,9 @@
+proftpd-dfsg (1.3.0-19etch1) stable; urgency=low
+
+ * [SECURITY] Added patch auth_cache.dpatch. It fixes CVE-2007-2165.
+
+ -- Francesco Paolo Lovergine <[EMAIL PROTECTED]> Tue, 15 Jan 2008 11:50:31
+0100
+
proftpd-dfsg (1.3.0-19) unstable; urgency=high
* Updated NEWS and README.Debian in order to document SQL backend engine
configuration.
diff -urN proftpd-dfsg-1.3.0/debian/patches/00list
1.3.0-19etch1/debian/patches/00list
--- proftpd-dfsg-1.3.0/debian/patches/00list 2008-01-15 12:10:39.000000000
+0100
+++ 1.3.0-19etch1/debian/patches/00list 2008-01-15 11:55:24.000000000 +0100
@@ -15,3 +15,4 @@
SA22803
SA23141
CORE-2006-1127
+auth_cache
diff -urN proftpd-dfsg-1.3.0/debian/patches/auth_cache.dpatch
1.3.0-19etch1/debian/patches/auth_cache.dpatch
--- proftpd-dfsg-1.3.0/debian/patches/auth_cache.dpatch 1970-01-01
01:00:00.000000000 +0100
+++ 1.3.0-19etch1/debian/patches/auth_cache.dpatch 2008-01-15
12:12:17.000000000 +0100
@@ -0,0 +1,435 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## auth_cache.dpatch by Francesco Paolo Lovergine <[EMAIL PROTECTED]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
[EMAIL PROTECTED]@
+diff -urNad proftpd-dfsg-1.3.0~/include/auth.h
proftpd-dfsg-1.3.0/include/auth.h
+--- proftpd-dfsg-1.3.0~/include/auth.h 2008-01-15 11:55:52.000000000 +0100
++++ proftpd-dfsg-1.3.0/include/auth.h 2008-01-15 12:08:25.000000000 +0100
+@@ -86,6 +86,7 @@
+ config_rec *pr_auth_get_anon_config(pool *p, char **, char **, char **);
+
+ /* For internal use only. */
++int init_auth(void);
+ int set_groups(pool *, gid_t, array_header *);
+
+ #endif /* PR_MODULES_H */
+diff -urNad proftpd-dfsg-1.3.0~/modules/mod_core.c
proftpd-dfsg-1.3.0/modules/mod_core.c
+--- proftpd-dfsg-1.3.0~/modules/mod_core.c 2008-01-15 12:07:35.000000000
+0100
++++ proftpd-dfsg-1.3.0/modules/mod_core.c 2008-01-15 12:08:25.000000000
+0100
+@@ -4403,6 +4403,8 @@
+ config_rec *c = NULL;
+ unsigned int *debug_level = NULL;
+
++ init_auth();
++
+ /* Check for a server-specific TimeoutIdle. */
+ c = find_config(main_server->conf, CONF_PARAM, "TimeoutIdle", FALSE);
+ if (c != NULL)
+diff -urNad proftpd-dfsg-1.3.0~/src/auth.c proftpd-dfsg-1.3.0/src/auth.c
+--- proftpd-dfsg-1.3.0~/src/auth.c 2008-01-15 11:55:52.000000000 +0100
++++ proftpd-dfsg-1.3.0/src/auth.c 2008-01-15 12:08:25.000000000 +0100
+@@ -30,6 +30,10 @@
+
+ #include "conf.h"
+
++static pool *auth_pool = NULL;
++static pr_table_t *auth_tab = NULL;
++static const char *trace_channel = "auth";
++
+ /* The difference between this function, and pr_cmd_alloc(), is that this
+ * allocates the cmd_rec directly from the given pool, whereas pr_cmd_alloc()
+ * will allocate a subpool from the given pool, and allocate its cmd_rec
+@@ -63,28 +67,53 @@
+ return c;
+ }
+
+-static modret_t *dispatch_auth(cmd_rec *cmd, char *match) {
+- authtable *authtab = NULL;
++static modret_t *dispatch_auth(cmd_rec *cmd, char *match, module **m) {
++ authtable *start_tab = NULL, *iter_tab = NULL;
+ modret_t *mr = NULL;
+
+- authtab = pr_stash_get_symbol(PR_SYM_AUTH, match, NULL,
++ start_tab = pr_stash_get_symbol(PR_SYM_AUTH, match, NULL,
+ &cmd->stash_index);
++ iter_tab = start_tab;
+
+- while (authtab) {
++ while (iter_tab) {
++ pr_signals_handle();
++
++ if (m && *m && *m != iter_tab->m) {
++ goto next;
++ }
++
+ pr_log_debug(DEBUG6, "dispatching auth request \"%s\" to module mod_%s",
+- match, authtab->m->name);
++ match, iter_tab->m->name);
+
+- mr = call_module(authtab->m, authtab->handler, cmd);
++ mr = call_module(iter_tab->m, iter_tab->handler, cmd);
+
+- if (authtab->auth_flags & PR_AUTH_FL_REQUIRED)
++ if (iter_tab->auth_flags & PR_AUTH_FL_REQUIRED)
+ break;
+
+ if (MODRET_ISHANDLED(mr) ||
+- MODRET_ISERROR(mr))
++ MODRET_ISERROR(mr)) {
++
++ /* Return a pointer, if requested, to the module which answered the
++ * auth request. This is used, for example, by auth_getpwnam() for
++ * associating the answering auth module with the data looked up.
++ */
++ if (m)
++ *m = iter_tab->m;
++
+ break;
++ }
+
+- authtab = pr_stash_get_symbol(PR_SYM_AUTH, match, authtab,
++ next:
++ iter_tab = pr_stash_get_symbol(PR_SYM_AUTH, match, iter_tab,
+ &cmd->stash_index);
++
++ if (iter_tab == start_tab) {
++ /* We have looped back to the start. Break out now and do not loop
++ * around again (and again, and again...)
++ */
++ mr = DECLINED(cmd);
++ break;
++ }
+ }
+
+ return mr;
+@@ -95,7 +124,7 @@
+ modret_t *mr = NULL;
+
+ cmd = make_cmd(p, 0);
+- mr = dispatch_auth(cmd, "setpwent");
++ mr = dispatch_auth(cmd, "setpwent", NULL);
+
+ if (cmd->tmp_pool) {
+ destroy_pool(cmd->tmp_pool);
+@@ -110,13 +139,20 @@
+ modret_t *mr = NULL;
+
+ cmd = make_cmd(p, 0);
+- mr = dispatch_auth(cmd, "endpwent");
++ mr = dispatch_auth(cmd, "endpwent", NULL);
+
+ if (cmd->tmp_pool) {
+ destroy_pool(cmd->tmp_pool);
+ cmd->tmp_pool = NULL;
+ }
+
++ if (auth_tab) {
++ pr_log_debug(DEBUG5, "emptying authcache");
++ (void) pr_table_empty(auth_tab);
++ (void) pr_table_free(auth_tab);
++ auth_tab = NULL;
++ }
++
+ return;
+ }
+
+@@ -125,7 +161,7 @@
+ modret_t *mr = NULL;
+
+ cmd = make_cmd(p, 0);
+- mr = dispatch_auth(cmd, "setgrent");
++ mr = dispatch_auth(cmd, "setgrent", NULL);
+
+ if (cmd->tmp_pool) {
+ destroy_pool(cmd->tmp_pool);
+@@ -140,7 +176,7 @@
+ modret_t *mr = NULL;
+
+ cmd = make_cmd(p, 0);
+- mr = dispatch_auth(cmd, "endgrent");
++ mr = dispatch_auth(cmd, "endgrent", NULL);
+
+ if (cmd->tmp_pool) {
+ destroy_pool(cmd->tmp_pool);
+@@ -156,7 +192,7 @@
+ struct passwd *res = NULL;
+
+ cmd = make_cmd(p, 0);
+- mr = dispatch_auth(cmd, "getpwent");
++ mr = dispatch_auth(cmd, "getpwent", NULL);
+
+ if (MODRET_ISHANDLED(mr) && MODRET_HASDATA(mr))
+ res = mr->data;
+@@ -190,7 +226,7 @@
+ struct group *res = NULL;
+
+ cmd = make_cmd(p, 0);
+- mr = dispatch_auth(cmd, "getgrent");
++ mr = dispatch_auth(cmd, "getgrent", NULL);
+
+ if (MODRET_ISHANDLED(mr) && MODRET_HASDATA(mr))
+ res = mr->data;
+@@ -217,11 +253,13 @@
+ cmd_rec *cmd = NULL;
+ modret_t *mr = NULL;
+ struct passwd *res = NULL;
++ module *m = NULL;
+
+ cmd = make_cmd(p, 1, name);
+- mr = dispatch_auth(cmd, "getpwnam");
++ mr = dispatch_auth(cmd, "getpwnam", &m);
+
+- if (MODRET_ISHANDLED(mr) && MODRET_HASDATA(mr))
++ if (MODRET_ISHANDLED(mr) &&
++ MODRET_HASDATA(mr))
+ res = mr->data;
+
+ if (cmd->tmp_pool) {
+@@ -246,6 +284,46 @@
+ return NULL;
+ }
+
++ if (!auth_tab && auth_pool) {
++ auth_tab = pr_table_alloc(auth_pool, 0);
++ }
++
++ if (m && auth_tab) {
++ int count = 0;
++ void *value = NULL;
++
++ value = palloc(auth_pool, sizeof(module *));
++ *((module **) value) = m;
++
++ count = pr_table_exists(auth_tab, name);
++ if (count <= 0) {
++ if (pr_table_add(auth_tab, pstrdup(auth_pool, name), value,
++ sizeof(module *)) < 0) {
++ pr_log_debug(DEBUG3,
++ "error adding module 'mod_%s.c' for user '%s' to the authcache: %s",
++ m->name, name, strerror(errno));
++
++ } else {
++ pr_log_debug(DEBUG5,
++ "stashed module 'mod_%s.c' for user '%s' in the authcache",
++ m->name, name);
++ }
++
++ } else {
++ if (pr_table_set(auth_tab, pstrdup(auth_pool, name), value,
++ sizeof(module *)) < 0) {
++ pr_log_debug(DEBUG3,
++ "error setting module 'mod_%s.c' for user '%s' in the authcache:
%s",
++ m->name, name, strerror(errno));
++
++ } else {
++ pr_log_debug(DEBUG5,
++ "stashed module 'mod_%s.c' for user '%s' in the authcache",
++ m->name, name);
++ }
++ }
++ }
++
+ pr_log_debug(DEBUG10, "retrieved UID %lu for user '%s'",
+ (unsigned long) res->pw_uid, name);
+ return res;
+@@ -257,7 +335,7 @@
+ struct passwd *res = NULL;
+
+ cmd = make_cmd(p, 1, (void *) &uid);
+- mr = dispatch_auth(cmd, "getpwuid");
++ mr = dispatch_auth(cmd, "getpwuid", NULL);
+
+ if (MODRET_ISHANDLED(mr) && MODRET_HASDATA(mr))
+ res = mr->data;
+@@ -295,7 +373,7 @@
+ struct group *res = NULL;
+
+ cmd = make_cmd(p, 1, name);
+- mr = dispatch_auth(cmd, "getgrnam");
++ mr = dispatch_auth(cmd, "getgrnam", NULL);
+
+ if (MODRET_ISHANDLED(mr) && MODRET_HASDATA(mr))
+ res = mr->data;
+@@ -328,7 +406,7 @@
+ struct group *res = NULL;
+
+ cmd = make_cmd(p, 1, (void *) &gid);
+- mr = dispatch_auth(cmd, "getgrgid");
++ mr = dispatch_auth(cmd, "getgrgid", NULL);
+
+ if (MODRET_ISHANDLED(mr) && MODRET_HASDATA(mr))
+ res = mr->data;
+@@ -358,10 +436,51 @@
+ int pr_auth_authenticate(pool *p, const char *name, const char *pw) {
+ cmd_rec *cmd = NULL;
+ modret_t *mr = NULL;
++ module *m = NULL;
+ int res = PR_AUTH_NOPWD;
+
+ cmd = make_cmd(p, 2, name, pw);
+- mr = dispatch_auth(cmd, "auth");
++
++ /* First, check for the mod_auth_pam.c module.
++ *
++ * PAM is a bit of hack in this Auth API, because PAM only provides
++ * yes/no checks, and is not a source of user information.
++ */
++ m = pr_module_get("mod_auth_pam.c");
++ if (m) {
++ pr_log_debug(DEBUG4,
++ "using module 'mod_auth_pam.c' to authenticate user '%s'", name);
++
++ mr = dispatch_auth(cmd, "auth", &m);
++
++ if (MODRET_ISHANDLED(mr)) {
++ res = MODRET_HASDATA(mr) ? PR_AUTH_RFC2228_OK : PR_AUTH_OK;
++
++ if (cmd->tmp_pool) {
++ destroy_pool(cmd->tmp_pool);
++ cmd->tmp_pool = NULL;
++ }
++
++ return res;
++ }
++
++ m = NULL;
++ }
++
++ if (auth_tab) {
++
++ /* Fetch the specific module to be used for authenticating this user. */
++ void *v = pr_table_get(auth_tab, name, NULL);
++ if (v) {
++ m = *((module **) v);
++
++ pr_log_debug(DEBUG4,
++ "using module 'mod_%s.c' from authcache to authenticate user '%s'",
++ m->name, name);
++ }
++ }
++
++ mr = dispatch_auth(cmd, "auth", m ? &m : NULL);
+
+ if (MODRET_ISHANDLED(mr))
+ res = MODRET_HASDATA(mr) ? PR_AUTH_RFC2228_OK : PR_AUTH_OK;
+@@ -380,10 +499,51 @@
+ int pr_auth_check(pool *p, const char *cpw, const char *name, const char *pw)
{
+ cmd_rec *cmd = NULL;
+ modret_t *mr = NULL;
++ module *m = NULL;
+ int res = PR_AUTH_BADPWD;
+
+ cmd = make_cmd(p, 3, cpw, name, pw);
+- mr = dispatch_auth(cmd, "check");
++
++ /* First, check for the mod_auth_pam.c module.
++ *
++ * PAM is a bit of hack in this Auth API, because PAM only provides
++ * yes/no checks, and is not a source of user information.
++ */
++ m = pr_module_get("mod_auth_pam.c");
++ if (m) {
++ pr_log_debug(DEBUG4,
++ "using module 'mod_auth_pam.c' to authenticate user '%s'", name);
++
++ mr = dispatch_auth(cmd, "check", &m);
++
++ if (MODRET_ISHANDLED(mr)) {
++ res = MODRET_HASDATA(mr) ? PR_AUTH_RFC2228_OK : PR_AUTH_OK;
++
++ if (cmd->tmp_pool) {
++ destroy_pool(cmd->tmp_pool);
++ cmd->tmp_pool = NULL;
++ }
++
++ return res;
++ }
++
++ m = NULL;
++ }
++
++ if (auth_tab) {
++
++ /* Fetch the specific module to be used for authenticating this user. */
++ void *v = pr_table_get(auth_tab, name, NULL);
++ if (v) {
++ m = *((module **) v);
++
++ pr_log_debug(DEBUG4,
++ "using module 'mod_%s.c' from authcache to authenticate user '%s'",
++ m->name, name);
++ }
++ }
++
++ mr = dispatch_auth(cmd, "check", m ? &m : NULL);
+
+ if (MODRET_ISHANDLED(mr))
+ res = MODRET_HASDATA(mr) ? PR_AUTH_RFC2228_OK : PR_AUTH_OK;
+@@ -402,7 +562,7 @@
+ int res = TRUE;
+
+ cmd = make_cmd(p, 1, name);
+- mr = dispatch_auth(cmd, "requires_pass");
++ mr = dispatch_auth(cmd, "requires_pass", NULL);
+
+ if (MODRET_ISHANDLED(mr))
+ res = FALSE;
+@@ -427,7 +587,7 @@
+ memset(namebuf, '\0', sizeof(namebuf));
+
+ cmd = make_cmd(p, 1, (void *) &uid);
+- mr = dispatch_auth(cmd, "uid2name");
++ mr = dispatch_auth(cmd, "uid2name", NULL);
+
+ if (MODRET_ISHANDLED(mr) && MODRET_HASDATA(mr)) {
+ res = mr->data;
+@@ -452,7 +612,7 @@
+ memset(namebuf, '\0', sizeof(namebuf));
+
+ cmd = make_cmd(p, 1, (void *) &gid);
+- mr = dispatch_auth(cmd, "gid2name");
++ mr = dispatch_auth(cmd, "gid2name", NULL);
+
+ if (MODRET_ISHANDLED(mr) && MODRET_HASDATA(mr)) {
+ res = mr->data;
+@@ -474,7 +634,7 @@
+ uid_t res = (uid_t) -1;
+
+ cmd = make_cmd(p, 1, name);
+- mr = dispatch_auth(cmd, "name2uid");
++ mr = dispatch_auth(cmd, "name2uid", NULL);
+
+ if (MODRET_ISHANDLED(mr))
+ res = *((uid_t *) mr->data);
+@@ -495,7 +655,7 @@
+ gid_t res = (gid_t) -1;
+
+ cmd = make_cmd(p, 1, name);
+- mr = dispatch_auth(cmd, "name2gid");
++ mr = dispatch_auth(cmd, "name2gid", NULL);
+
+ if (MODRET_ISHANDLED(mr))
+ res = *((gid_t *) mr->data);
+@@ -527,7 +687,7 @@
+ cmd = make_cmd(p, 3, name, group_ids ? *group_ids : NULL,
+ group_names ? *group_names : NULL);
+
+- mr = dispatch_auth(cmd, "getgroups");
++ mr = dispatch_auth(cmd, "getgroups", NULL);
+
+ if (MODRET_ISHANDLED(mr) && MODRET_HASDATA(mr)) {
+ res = *((int *) mr->data);
+@@ -821,3 +981,10 @@
+ return res;
+ }
+
++/* Internal use only. To be called in the session process. */
++int init_auth(void) {
++ auth_pool = make_sub_pool(permanent_pool);
++ pr_pool_tag(auth_pool, "Auth API");
++
++ return 0;
++}
