fedora 24
access weakness #49

4

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

If this call fails, the program could fail to drop heightened privileges.

File Name:

imap-2007f/src/osdep/nt/env_nt.c

Context:

The highlighted line of code below is the trigger point of this particular Fedora 24 access weakness.

     if (GetLastError() != ERROR_SUCCESS) return NIL;
  }

				/* cretins still haven't given up */
  if ((strlen (user) >= MAILTMPLEN) ||
      (authuser && (strlen (authuser) >= MAILTMPLEN)))
    syslog (LOG_ALERT,"SYSTEM BREAK-IN ATTEMPT, host=%.80s",tcp_clienthost ());
  else if (logtry > 0) {	/* still have available logins? */
				/* authentication user not supported */
    if (authuser && *authuser && compare_cstring (authuser,user))
      mm_log ("Authentication id must match authorization id",ERROR);
    if (check_nt ()) {		/* NT: authserver_login() call not supported */
      if (!pass) mm_log ("Unsupported authentication mechanism",ERROR);
      else if ((		/* try to login and impersonate the guy */
#ifdef LOGIN32_LOGON_NETWORK
		LogonUser (user,".",pass,LOGON32_LOGON_NETWORK,
			   LOGON32_PROVIDER_DEFAULT,&hdl) ||
#endif
		LogonUser (user,".",pass,LOGON32_LOGON_INTERACTIVE,
			   LOGON32_PROVIDER_DEFAULT,&hdl) ||
		LogonUser (user,".",pass,LOGON32_LOGON_BATCH,
			   LOGON32_PROVIDER_DEFAULT,&hdl) ||
		LogonUser (user,".",pass,LOGON32_LOGON_SERVICE,
			   LOGON32_PROVIDER_DEFAULT,&hdl)) &&
	       ImpersonateLoggedOnUser (hdl)) return env_init (user,NIL);
    }
    else {			/* Win9x: done if from authserver_login() */
      if (!pass) server_nli = NIL;
				/* otherwise check MD5 database */
      else if (s = auth_md5_pwd (user)) {
				/* change NLI state based on pwd match */
	server_nli = strcmp (s,pass);
	memset (s,0,strlen (s));/* erase sensitive information */
	fs_give ((void **) &s);	/* flush erased password */
      }
				/* success if no longer NLI */
      if (!server_nli) return env_init (user,NIL);
    }
  }
  s = (logtry-- > 0) ? "Login failure" : "Excessive login attempts";
				/* note the failure in the syslog */
  syslog (LOG_INFO,"%s user=%.80s host=%.80s",s,user,tcp_clienthost ());
  sleep (3);			/* slow down possible cracker */
  return NIL;
}

/* Authenticated server log in
 * Accepts: user name string
 *	    authentication user name string
 *	    argument count 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.