75941 2004-12-28 12:51 0000 net-misc/hylafax: hfaxd unauthorized login vulnerability 2005-01-11 08:36:44 0000 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED B3 [glsa] koon 20050111 P2 minor --- 1 koon@gentoo.org security@gentoo.org gmsoft@gentoo.org gustavoz@gentoo.org kingtaco@gentoo.org nerdboy@gentoo.org weeve@gentoo.org koon@gentoo.org 2004-12-28 12:51:38 0000 ---------------------------------------- HylaFAX security advisory 11 Jan 2005 Subject: HylaFAX hfaxd unauthorized login vulnerability Introduction: HylaFAX is a mature (est. 1991) enterprise-class open-source software package for sending and receiving facsimiles as well as for sending alpha-numeric pages. It runs on a wide variety of UNIX-like platforms including Linux, BSD (including Mac OS X), SunOS and Solaris, SCO, IRIX, AIX, and HP-UX. See http://www.hylafax.org Problem Description and Impact: HylaFAX hfaxd authenticates users against the hosts.hfaxd database. The first field of a hosts.hfaxd database entry (the "client") has a syntax of "^username@hostname$" where "username" is supplied during the hfaxd protocol exchange, and "hostname" is the official host name or the dotted IP address. Regular expressions are used to match usernames, hostnames, and addresses. By tradition, if the entry does not have the "@" in it, then the entry field is understood to be the full hostname or full dotted IP address - authenticating any user from the specified host. The problem is that hfaxd always authenticates against the hosts.hfaxd entry by comparing the string "username@hostname" with the client field, irrespective of the formatting of the hosts.hfaxd client field. If there is a match (regex) between the string and the client field and no password is required (a subsequent entry field), then the login succeeds. Thus, if an attacker can guess hosts.hfaxd entries that do not contain passwords (and most HylaFAX installations will likely contain "localhost" and "127.0.0.1"), then hfaxd will authenticate the attacker's login attempts if the attacker merely uses a username or configures their hostname to match the hosts.hfaxd entry. Because hfaxd did not verify that hostnames outside of the local domain matched their resolved addresses before trusting them, "localhost" entries are therefore particularly vulnerable to "DNS spoofing". All HylaFAX versions as far back as 4.0pl0 (1996) are vulnerable to unauthorized remote access of HylaFAX services when there are hosts.hfaxd entries without passwords. HylaFAX installations are likely to have hosts.hfaxd entries without passwords, as it is the default. Status: HylaFAX.org has released HylaFAX version 4.2.1 which includes changes to hfaxd to keep it from erroniously matching usernames against hostname entries and verifying that hostnames match their resolved addresses before trusting them. All HylaFAX users are strongly encouraged to upgrade. The HylaFAX 4.2.1 source code is available at ftp://ftp.hylafax.org/source/hylafax-4.2.1.tar.gz In the event that upgrading to 4.2.1 is not appropriate, the patch to fix HylaFAX hfaxd is available at http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=610 In the event that both patching and upgrading are not possible then firewalling techniques restricting access to port 4559 are strongly encouraged. Administrators may also consider adding passwords to all entries in the hosts.hfaxd database that do not contain them. Although no abuse of this vulnerability is known to HylaFAX development, recent postings to the public HylaFAX.org mailing lists have indicated problems with hosts.hfaxd entries that are associated with this vulnerability. As any serious investigation into the nature of those problems would expose the vulnerability, this prompt response has been made. Effect: Some HylaFAX installations may actually utilize the weak hostname and username validation for authorized uses, although contrary to hosts.hfaxd documentation. For example, hosts.hfaxd entries that may be common are 192.168.0 username:uid:pass:adminpass user@host After updating, these entries will need to be changed in order to continue to function. Respectively, the correct entries should be 192.168.0.[0-9]+ username@:uid:pass:adminpass user@host Unless such maching of "username" with "otherusername" and "host" with "hostname" is desired, the proper form of these entries should include the delimiter and markers like this @192.168.0.[0-9]+$ ^username@:uid:pass:adminpass ^user@host$ Thanks: Many thanks go to Patrice Fournier of iFAX Solutions for discovery of the vulnerability (24 December) and the controlled reporting of it. Thanks also go to Aidan Van Dyk of iFAX Solutions, whom I assisted, for developing the final fix (28 December). Lee Howard HylaFAX developer ------------------------------ koon@gentoo.org 2004-12-28 12:53:00 0000 Coordinated disclosure on 11 Jan 2005. koon@gentoo.org 2004-12-28 12:54:18 0000 Created an attachment (id=47051) hylafax-hostvuln.patch Patch for 4.2.0 koon@gentoo.org 2005-01-03 03:03:34 0000 Another confidential vulnerability for you, Steve... You need to prepare and test and new ebuild for hylafax with the attached patch, but please do not commit it to CVS, it must remain confidential for now. You can attach a tar with everything (ebuild and patch file) to this bug, and we'll call specific people in arches to test it so that hopefully it can be committed stable on the coordinated release date. kingtaco@gentoo.org 2005-01-05 18:05:42 0000 --- hylafax-4.2.0-r1.ebuild.orig 2005-01-05 20:03:46.120374101 -0600 +++ hylafax-4.2.0-r1.ebuild 2005-01-05 20:04:48.900910664 -0600 @@ -33,6 +33,7 @@ epatch ${FILESDIR}/${P}-faxcron_uid.patch epatch ${FILESDIR}/${P}-tiff_version.patch epatch ${FILESDIR}/configure-gcc-3.4.patch + epatch ${FILESDIR}/hylafax-hostvuln.patch } src_compile() { this works on amd64. I won't commit it to the tree per your request nerdboy@gentoo.org 2005-01-05 19:06:51 0000 The patch tests out on x86 okay as well. I leave for a conference on Saturday, so KingTaco will commit the -r2 ebuild if we don't do it before I leave. koon@gentoo.org 2005-01-06 00:57:33 0000 Weeve or Gustavo: could you please test the patched ebuild and ensure it builds properly (and works) on sparc too ? Guy: You can also test for hppa and report success/failure here. The idea is to commit 4.2.0-r2 directly as KEYWORDS="x86 sparc hppa ~alpha ~amd64 ~ppc" on 2005/01/11. gmsoft@gentoo.org 2005-01-06 12:47:03 0000 I had to add a -fPIC fix to make it compile on my hppa. I've added it for all arches (see #55238). koon@gentoo.org 2005-01-10 01:55:30 0000 Everyone : would be a good thing to be ready for the big date tomorrow with that one. weeve/gustavoz: please test on sparc and report success kingtaco: will you be available and ready to commit it tomorrow ? gustavoz@gentoo.org 2005-01-10 05:10:25 0000 Green light for sparc. kingtaco@gentoo.org 2005-01-10 06:42:44 0000 just let me know when you want it to go in, I'll be available after 1700 CST(gmt-6) koon@gentoo.org 2005-01-11 00:37:04 0000 kingtaco: it might be a good idea to add an ewarn about the hosts.hfaxd file losing backward compatibility. See "effect" in the Hylafax advisory draft. It's not up on the Hylafax site yet, so we must wait for the time being. vorlon@gentoo.org 2005-01-11 03:23:20 0000 http://www.hylafax.org/cgi-bin/cvsweb.cgi/~checkout~/CHANGES * fix CAN-2004-1182: hfaxd client/server authentication vulnerability (10 Jan 2005) [...] koon@gentoo.org 2005-01-11 07:20:11 0000 It's officially out : http://marc.theaimsgroup.com/?l=hylafax&m=110545119911558&w=2 kingtaco: please commit the 4.2.0-r2 ebuild ASAP with KEYWORDS="x86 sparc hppa ~alpha ~amd64 ~ppc" kingtaco@gentoo.org 2005-01-11 07:36:08 0000 in cvs, stable on amd64 as well. koon@gentoo.org 2005-01-11 08:36:44 0000 GLSA 200501-21 47051 2004-12-28 12:54 0000 hylafax-hostvuln.patch hylafax-hostvuln.patch text/plain ZGlmZiAtTnJ1IGh5bGFmYXgtNC4yLjAub3JpZy9oZmF4ZC9JbmV0RmF4U2VydmVyLmMrKyBoeWxh ZmF4LTQuMi4wL2hmYXhkL0luZXRGYXhTZXJ2ZXIuYysrCi0tLSBoeWxhZmF4LTQuMi4wLm9yaWcv aGZheGQvSW5ldEZheFNlcnZlci5jKysJTW9uIERlYyAyNyAxNDoxMDowOSAyMDA0CisrKyBoeWxh ZmF4LTQuMi4wL2hmYXhkL0luZXRGYXhTZXJ2ZXIuYysrCVR1ZSBEZWMgMjggMTA6NDk6NTIgMjAw NApAQCAtMTc3LDE2ICsxNzcsMTQgQEAKIC8qCiAgKiBDaGVjayBob3N0IGlkZW50aXR5IHJldHVy bmVkIGJ5IGdldGhvc3RieWFkZHIgdG8KICAqIHdlZWQgb3V0IGNsaWVudHMgdHJ5aW5nIHRvIHNw b29mIHVzICh0aGlzIGlzIG1vc3RseQotICogYSBzYW5pdHkgY2hlY2s7IGl0J3Mgc3RpbGwgdHJp dmlhbCB0byBzcG9vZikuCi0gKiBJZiB0aGUgbmFtZSByZXR1cm5lZCBieSBnZXRob3N0YnlhZGRy IGlzIGluIG91ciBkb21haW4sCi0gKiBsb29rIHVwIHRoZSBuYW1lIGFuZCBjaGVjayB0aGF0IHRo ZSBwZWVyJ3MgYWRkcmVzcworICogYSBzYW5pdHkgY2hlY2s7IGlmIHRoZXkgaGF2ZSBmdWxsIGNv bnRyb2wgb2YgRE5TCisgKiB0aGV5IGNhbiBzdGlsbCBzcG9vZikKKyAqIExvb2sgdXAgdGhlIG5h bWUgYW5kIGNoZWNrIHRoYXQgdGhlIHBlZXIncyBhZGRyZXNzCiAgKiBjb3JyZXNwb25kcyB0byB0 aGUgaG9zdCBuYW1lLgogICovCiBib29sCiBJbmV0RmF4U2VydmVyOjpjaGVja0hvc3RJZGVudGl0 eShob3N0ZW50KiYgaHApCiB7Ci0gICAgaWYgKCFpc0xvY2FsRG9tYWluKGhwLT5oX25hbWUpKQkJ Ly8gbm90IGxvY2FsLCBkb24ndCBjaGVjawotCXJldHVybiAodHJ1ZSk7CiAgICAgZnhTdHIgbmFt ZShocC0+aF9uYW1lKTsJCQkvLyBtdXN0IGNvcHkgc3RhdGljIHZhbHVlCiAgICAgaHAgPSBTb2Nr ZXQ6OmdldGhvc3RieW5hbWUobmFtZSk7CiAgICAgaWYgKGhwKSB7CmRpZmYgLU5ydSBoeWxhZmF4 LTQuMi4wLm9yaWcvaGZheGQvVXNlci5jKysgaHlsYWZheC00LjIuMC9oZmF4ZC9Vc2VyLmMrKwot LS0gaHlsYWZheC00LjIuMC5vcmlnL2hmYXhkL1VzZXIuYysrCU1vbiBEZWMgMjcgMTQ6MTA6MjEg MjAwNAorKysgaHlsYWZheC00LjIuMC9oZmF4ZC9Vc2VyLmMrKwlUdWUgRGVjIDI4IDExOjAwOjMy IDIwMDQKQEAgLTEzNiwxNiArMTM2LDI2IEBACiAJICogbXVzdCBzdXBwbHkuICBUaGUgbmV4dCBm aWVsZCBpcyB0aGUgcGFzc3dvcmQgdGhhdAogCSAqIG11c3QgYmUgcHJlc2VudGVkIHRvIGdhaW4g YWRtaW5pc3RyYXRpdmUgcHJpdmlsZWdlcy4KIAkgKgorCSAqIElmIHRoZSByZWdleCBpcyBhIHNp bmdsZSB3b3JkIChubyBAIHNpZ24pLCB3ZSB0YWtlIGl0CisJICogYXMgYSBob3N0IG9ubHkgc2hv cnQgZm9ybSBmb3IgKF5bXkBdKkA8aW5wdXQ+CisJICoKIAkgKiBJZiB0aGUgZmlyc3QgY2hhcmFj dGVyIG9mIHRoZSA8cmVnZXg+IGlzIGEgYGAhJycKIAkgKiB0aGVuIHRoZSBsaW5lIHNwZWNpZmll cyB1c2VyKHMpIHRvIGRpc2FsbG93OyBhIG1hdGNoCiAJICogY2F1c2VzIHRoZSB1c2VyIHRvIGJl IHJlamVjdGVkIHcvbyBhIHBhc3N3b3JkIHByb21wdC4KIAkgKiBUaGlzIGZhY2lsaXR5IGlzIG1h aW5seSBmb3IgYmFja3dhcmRzIGNvbXBhdGliaWxpdHkuCiAJICovCiAJY2hhciogY3A7CisJYm9v bCB1c2VyYW5kaG9zdCA9IGZhbHNlOwogCWZvciAoY3AgPSBsaW5lOyAqY3AgJiYgKmNwICE9ICc6 JzsgY3ArKykKLQkgICAgOworCSAgICBpZiAoKmNwID09ICdAJykgdXNlcmFuZGhvc3QgPSB0cnVl OworCiAJY29uc3QgY2hhciogYmFzZSA9ICZsaW5lW2xpbmVbMF0gPT0gJyEnXTsKLQlSRSBwYXQo YmFzZSwgY3AtYmFzZSk7CisJZnhTdHIgcGF0dGVybihiYXNlLCBjcC1iYXNlKTsKKwlpZiAoISB1 c2VyYW5kaG9zdCkgeworCSAgICBwYXR0ZXJuLmluc2VydCgiXi4qQCIpOworCSAgICBwYXR0ZXJu LmFwcGVuZCgiJCIpOworCX0KKwlSRSBwYXQocGF0dGVybik7CiAJaWYgKGxpbmVbMF0gPT0gJyEn KSB7CQkvLyBkaXNhbGxvdyBhY2Nlc3Mgb24gbWF0Y2gKIAkgICAgaWYgKHBhdC5GaW5kKGRvdGZv cm0pIHx8IHBhdC5GaW5kKGhvc3Rmb3JtKSkKIAkJcmV0dXJuIChmYWxzZSk7Cg==