[From nobody Wed Dec 15 17:38:00 2004 Return-Path: <mark@redhat.com> Received: from mail.boston.redhat.com ([unix socket]) by mail.boston.redhat.com (Cyrus v2.1.12) with LMTP; Wed, 15 Dec 2004 03:55:39 -0500 X-Sieve: CMU Sieve 2.2 Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mail.boston.redhat.com (8.12.8/8.12.8) with ESMTP id iBF8tdZU022361 for <jdennis@boston.redhat.com>; Wed, 15 Dec 2004 03:55:39 -0500 Received: from pobox.corp.redhat.com (pobox.corp.redhat.com [172.16.52.156]) by int-mx1.corp.redhat.com (8.11.6/8.11.6) with ESMTP id iBF8ter02714 for <jdennis@int-mx1.corp.redhat.com>; Wed, 15 Dec 2004 03:55:40 -0500 Received: from dell1.moose.awe.com (IDENT:U2FsdGVkX197MLmgj5KKOMbedQ4IKdKzDnUm89yrvgg@vpn50-48.rdu.redhat.com [172.16.50.48]) by pobox.corp.redhat.com (8.12.8/8.12.8) with ESMTP id iBF8tebo009196 for <jdennis@redhat.com>; Wed, 15 Dec 2004 03:55:40 -0500 Received: from dell1.moose.awe.com ([127.0.0.1] helo=localhost ident=[U2FsdGVkX1+pKC8x6cVN8SlrV/jT8cqMVPsNHD6Nw64=]) by dell1.moose.awe.com with esmtp (Exim 4.05) id 1CeUwc-0005jM-00 for jdennis@redhat.com; Wed, 15 Dec 2004 08:55:38 +0000 X-Return-path: <security-response-team-admin@redhat.com> X-Received: from dell1.moose.awe.com ([127.0.0.1] helo=localhost ident=[U2FsdGVkX1/nn9JZH6/zotzgJ7Jyt8fZ6r9AEDNCjuA=]) by dell1.moose.awe.com with esmtp (Exim 4.05) id 1CeGe4-0004fy-00 for mark@dell1.moose.awe.com; Tue, 14 Dec 2004 17:39:32 +0000 X-Received: from devserv.devel.redhat.com [172.16.58.1] by localhost with IMAP (fetchmail-6.2.5) for mark@dell1.moose.awe.com (single-drop); Tue, 14 Dec 2004 17:39:32 +0000 (GMT) X-Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by devserv.devel.redhat.com (8.12.11/8.12.10) with ESMTP id iBEHce8u015904; Tue, 14 Dec 2004 12:38:40 -0500 X-Received: from post-office.corp.redhat.com (post-office.corp.redhat.com [172.16.52.227]) by int-mx1.corp.redhat.com (8.11.6/8.11.6) with ESMTP id iBEHd2r25139; Tue, 14 Dec 2004 12:39:02 -0500 X-Received: from post-office.corp.redhat.com (localhost.localdomain [127.0.0.1]) by post-office.corp.redhat.com (8.11.6/8.11.6) with ESMTP id iBEHd2818725; Tue, 14 Dec 2004 12:39:02 -0500 X-Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by post-office.corp.redhat.com (8.11.6/8.11.6) with ESMTP id iBEHcw818711 for <security-response-team@post-office.corp.redhat.com>; Tue, 14 Dec 2004 12:38:58 -0500 X-Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.11.6/8.11.6) with ESMTP id iBEHcvr25113 for <security-response-team@redhat.com>; Tue, 14 Dec 2004 12:38:57 -0500 X-Received: from mail.lst.de (verein.lst.de [213.95.11.210]) by mx3.redhat.com (8.12.11/8.12.11) with ESMTP id iBEHceCN016889 for <security-response-team@redhat.com>; Tue, 14 Dec 2004 12:38:51 -0500 X-Received: from verein.lst.de (localhost [127.0.0.1]) by mail.lst.de (8.12.3/8.12.3/Debian-7.1) with ESMTP id iBEHZJ6s016781; Tue, 14 Dec 2004 18:35:19 +0100 X-Received: from albireo.enyo.de (albireo.enyo.de [212.9.189.169]) by mail.lst.de (8.12.3/8.12.3/Debian-7.1) with ESMTP id iBEHYS6t016744 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO) for <vendor-sec@lst.de>; Tue, 14 Dec 2004 18:34:28 +0100 X-Received: from [212.9.189.177] (helo=deneb.enyo.de) by albireo.enyo.de with esmtp id 1CeGZ9-0008Tp-Kn for vendor-sec@lst.de; Tue, 14 Dec 2004 18:34:27 +0100 X-Received: from fw by deneb.enyo.de with local (Exim 4.43) id 1CeGZ9-000107-54 for vendor-sec@lst.de; Tue, 14 Dec 2004 18:34:27 +0100 From: Florian Weimer <fw@deneb.enyo.de> To: vendor-sec@lst.de Message-ID: <87llc0u6l8.fsf@deneb.enyo.de> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.39 Subject: [vendor-sec] Weak auto-generated passwords in Mailman X-BeenThere: vendor-sec@lst.de X-Mailman-Version: 2.0.11 Precedence: bulk X-Original-Date: Tue, 14 Dec 2004 18:34:27 +0100 X-RedHat-Spam-Score: 0 X-loop: security-response-team@redhat.com Sender: security-response-team-admin@redhat.com Errors-To: security-response-team-admin@redhat.com X-BeenThere: security-response-team@redhat.com List-Help: <mailto:security-response-team-request@redhat.com?subject=help> List-Post: <mailto:security-response-team@redhat.com> List-Subscribe: <http://post-office.corp.redhat.com/mailman/listinfo/security-response-team>, <mailto:security-response-team-request@redhat.com?subject=subscribe> List-Id: Security Response Team <security-response-team.redhat.com> List-Unsubscribe: <http://post-office.corp.redhat.com/mailman/listinfo/security-response-team>, <mailto:security-response-team-request@redhat.com?subject=unsubscribe> List-Archive: <http://post-office.corp.redhat.com/mailman/private/security-response-team/> Date: Tue, 14 Dec 2004 18:34:27 +0100 X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on devserv.devel.redhat.com X-Spam-Level: X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.60 ReSent-Date: Wed, 15 Dec 2004 08:55:35 +0000 (GMT) ReSent-From: Mark J Cox <mark@redhat.com> ReSent-To: jdennis@redhat.com ReSent-Subject: [vendor-sec] Weak auto-generated passwords in Mailman ReSent-Message-ID: <0412150855350.21879@dell1.moose.awe.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi, do you have a trusted contact to the Mailman developers? Their home page doesn't seem to list a security contact, and the lead developer appears to have changed (I'm not sure if Barry is still in charge). Mailman 2.1.5 uses weak auto-generated passwords for new subscribers. These passwords are assigned when members subscribe without specifying their own password (either by email or the web frontend). Knowledge of this password allows an attacker to gain access to the list archive even though she's not a member and the archive is restricted to members only. The idea of storing sensitive data in Mailman archives seems to be a bit crazy, but unfortunately, it is common practice. Here's the password generation algorithm: _vowels = ('a', 'e', 'i', 'o', 'u') _consonants = ('b', 'c', 'd', 'f', 'g', 'h', 'k', 'm', 'n', 'p', 'r', 's', 't', 'v', 'w', 'x', 'z') _syllables = [] for v in _vowels: for c in _consonants: _syllables.append(c+v) _syllables.append(v+c) del c, v def MakeRandomPassword(length=6): syls = [] while len(syls) * 2 < length: syls.append(random.choice(_syllables)) return EMPTYSTRING.join(syls)[:length] This means that only about 5 million different passwords are ever generated, a number that is in the range of brute force attacks -- you only have to guess one subscriber address (which is usually not that hard). Closing this vulnerability requires three steps: - Implement stronger password generation (easy because we may assume that the system provides /dev/urandom, and we don't need extreme performance). Increasing the password length is not an option because as far as I know, Python's random number generator is not cryptographically secure. Simple brute force enumeration wouldn't work anymore, but a more elaborate attack involving results of an analysis of the random number generator might still be feasible. - Provide site administrators with a Python script to reset all passwords to autogenerated ones. - Remove the password input fields from the web forms. These fields are mostly present historical reasons. Mailman 2.1 offers a challenge-response mechanism for the most important operations (Mailman 2.0 only had password authentication). This step is not really related to the vulnerability at hand, but I think it's important not to encourage users to add their password to the Mailman database (despite the fine print that tells new members not to use a valuable password). This vulnerability is currently NOT public. Credits for its discovery belong to ZENDAS (I'm merely coordinating the disclosure). The vulnerability was discovered during a penetration test and has therefore been disclosed to people outside ZENDAS. However, I don't think the vulnerability will hit a public mailing list soon (or leak to the underground). I'm going to notify a very special closed Mailman list in advance (whose admins and subscribers are trustworthy). Feel free to forward this message to trusted Mailman developers. It would be helpful if you could provide a time estimate when most of you have updated Mailman packages ready. Florian _______________________________________________ Vendor Security mailing list Vendor Security@lst.de https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec ]