Re: buffer overflows in cracklib?!

From: Rick Byers (rickbat_private)
Date: Mon Dec 15 1997 - 07:23:01 PST

Next message: der Mouse: "Re: Linux inetd.."

Previous message: Paul Nash: "Re: To kill a sun:"
Maybe in reply to: Jon Lewis: "buffer overflows in cracklib?!"
Next in thread: Alec Muffett: "Re: buffer overflows in cracklib?!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I just spoke with Alec Muffett, the author of cracklib and he pointed me
to the new version (2.6) on his homepage:
http://www.users.dircon.co.uk/~crypto/.  I still see a lot of strcpy's,
but that particular one is no longer a problem, and I havn't had the time
to check the whole thing out thoroughly.  CERT is supposed to be releasing
and advisory about it soon...
        Rick

On Sun, 14 Dec 1997, Jon Lewis wrote:

> While looking at compiling the latest shadow utils with cracklib support,
> I was kind of surprised when gcc complained about things like:
>
> fascist.c:220: warning: passing arg 2 of `strcpy' makes pointer from
> integer without a cast
>
> strcpy in security software...hmm....so I took a look at fascist.c and was
> pretty surprised to find:
>
> char gbuffer[STRINGSIZE];
> ...
> strcpy(gbuffer, Lowercase(pwp->pw_gecos));
>
> STRINGSIZE is defined in cracklib/packer.h:#define STRINGSIZE    256
>
> So...to test this, I used chfn on a Red Hat 4.2 system to set my full-name
> to a string of about 300+ chars, and tried to change my passwd.
>
> $ chfn
> Changing finger information for jlewis.
> Password:
> Name [hmm]:
> 11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
> Office []:
> Office Phone []:
> Home Phone []:
>
> Finger information changed.
> $ passwd
> Changing password for jlewis
> (current) UNIX password:
> New UNIX password:
> Segmentation fault
> $
>
> I took a look at Aleph One's Smashing the Stack paper, but got nowhere
> since chfn (at least on RH 4.2) won't let me have control characters in
> the gecos field.  Still, shouldn't cracklib be fixed?  I'm not installing
> it without some sprintf->snprintf mods.
>
> ------------------------------------------------------------------
>  Jon Lewis <jlewisat_private>  |  Unsolicited commercial e-mail will
>  Network Administrator       |  be proof-read for $199/message.
>  Florida Digital Turnpike    |
> ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
>

=========================================================================
Rick Byers                                      Internet Access Worldwide
rickbat_private                                              System Admin
University of Waterloo, Computer Science                    (905)714-1400
http://www.iaw.on.ca/rickb/                         http://www.iaw.on.ca/

Next message: der Mouse: "Re: Linux inetd.."
Previous message: Paul Nash: "Re: To kill a sun:"
Maybe in reply to: Jon Lewis: "buffer overflows in cracklib?!"
Next in thread: Alec Muffett: "Re: buffer overflows in cracklib?!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:36:06 PDT