Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0

• Previous message: Jaime BENJUMEA: "Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0"
• In reply to: Dale Southard: "Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0"
• Next in thread: Brandon S. Allbery KF8NH: "Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0"
• Next in thread: Michal Zalewski: "Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 21 Jul 2001, Dale Southard wrote:

> Sshd should probably be constraining its match to the length of the
> crypt() output rather than the length of the password file entry.  [I
> say ``probably'' here because some systems (AIX) seem to produce null
> password file hashes when `passwd` is given a null password.  If that
> behavior is due to the underlying crypt() function, then the
> ``probably'' suggestion I just made yields remote root on those
> systems.]

What's wrong with just using `strcmp' (i.e. no constraint at all)?  After
all, what you want to know is just whether the two strings are identical,
period.  And unless crypt() and /etc/shadow are both broken, it will stop 
at the right place.  I realize it goes against the reflexive "only strn*
functions are safe" idea, but that shouldn't substitute for thinking...

-- 

Nate Eldredge
neldredgeat_private

• Next message: Joop Stakenborg: "pileup 1.2"
• Previous message: Jaime BENJUMEA: "Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0"
• In reply to: Dale Southard: "Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0"
• Next in thread: Brandon S. Allbery KF8NH: "Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0"
• Next in thread: Michal Zalewski: "Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 10:06:24 PDT