Bugtraq mailing list archives
Digital Unix, daemons and the SIA authentication library.
From: pcl () foo oucs ox ac uk (Paul C Leyland)
Date: Mon, 10 Jun 1996 12:06:57 +0100
Since my claim on Bugtraq that DEC's C2 authentication libraries are buggy as shipped but that a patch is available, I've had a couple of mails asking for clarification. Here's a lightly-edited response to one of those requests. Hope this helps everyone else running Digital Unix. At the end is a nice example of how to use the SIA routines in your own code.
You indicated you run "C2" in DEC 3.2.c. Since I run 3.2.c also, I need to see if my problem is the same. Do you use the TCB password system or the /etc/password configuration? My initial testing on our TCB system indicates there is no problem here. Am I missing something?
We use TCB authorization system. We also use the password-changing
callout mechanism to feed proposed new passwords through a slightly
modified Cracklib. (That's not relevant to the particular issue under
discussion but I strongly recommend it if you haven't already
implemented it).
A test is to build wuftp2.4, linking with the SIA libraries. You need
to apply the appended patches to ensure that the authentication
libraries get used. Create a dummy account and ensure that it is
disabled for a few minutes after a few unsuccessful attempts at the
password.
Connect to the new wuftpd from elsewhere, giving the dummy username
enough times to trip the lock-out and deliberately give the wrong
password every time. Check that the account has been locked out for the
requisite number of minutes. If it has, you're ok. If it hasn't, start
shouting at DEC.
We first spotted the problem at 3.0FT (i.e., Field Test) and sent in a
QAR. That was August 1994. It was still there 15 months later in 3.2c.
We started getting seriously annoyed after someone successfully broke in
by feeding trial passwords to our ftpd. The fixes came out in early
December last year.
I will leave it to others to comment on the relative time delays
(approximately 20:1) between first report, first exploit and first fix.
Paul
*** Makefile~ Fri Apr 01 20:03:27 1994
--- Makefile Fri Aug 26 16:56:13 1994
***************
*** 1,8 ****
CC = cc
IFLAGS = -I.. -I../support
LFLAGS = -L../support -s -x
! CFLAGS = -O -DDEBUG ${IFLAGS} ${LFLAGS}
! LIBES = -lsupport
LIBC = /lib/libc.a
LINTFLAGS=
LKERB = -lauth -lckrb -lkrb -ldes
--- 1,8 ----
CC = cc
IFLAGS = -I.. -I../support
LFLAGS = -L../support -s -x
! CFLAGS = -O -DDEBUG -DOSF_AUTH ${IFLAGS} ${LFLAGS}
! LIBES = -lsecurity -lsupport
LIBC = /lib/libc.a
LINTFLAGS=
LKERB = -lauth -lckrb -lkrb -ldes
*** ftpd.c.orig Fri Aug 26 14:21:04 1994
--- ftpd.c Fri Aug 26 16:44:12 1994
***************
*** 110,115 ****
--- 110,120 ----
#include <sys/svcinfo.h>
#endif
+ #ifdef OSF_AUTH
+ #include <sia.h>
+ #include <siad.h>
+ #endif
+
#ifdef HAVE_DIRENT
#include <dirent.h>
#else
***************
*** 247,252 ****
--- 252,261 ----
int ultrix_check_pass(char *passwd, char *xpasswd);
#endif
+ #ifdef OSF_AUTH
+ int OSF_check_pass(char *passwd);
+ #endif
+
/* ls program commands and options for lreplies on and off */
char ls_long[50];
char ls_short[50];
***************
*** 1012,1017 ****
--- 1021,1028 ----
#ifdef ULTRIX_AUTH
if ((numfails = ultrix_check_pass(passwd, xpasswd)) < 0) {
+ #elif defined(OSF_AUTH)
+ if (osf_check_pass(passwd) < 0) {
#else
/* The strcmp does not catch null passwords! */
if (pw == NULL || *pw->pw_passwd == '\0' ||
***************
*** 2816,2818 ****
--- 2827,2885 ----
return -1;
}
#endif /* ULTRIX_AUTH */
+
+ #ifdef OSF_AUTH
+ int sia_collect_null(int timeout, int rendition, unsigned char *title,
+ int num_prompts, prompt_t *prompt)
+ {
+ return SIACOLSUCCESS;
+ }
+
+ static int
+ osf_check_pass(char *passwd)
+ {
+
+ SIAENTITY *entity = NULL;
+ char uname[32];
+ int auth_status;
+ int argc = 1;
+ char *argv[2];
+
+ argv[0] = "ftpd";
+ argv[1] = (char *) 0;
+ set_auth_parameters(argc, argv);
+
+ (void) strcpy(uname, pw->pw_name);
+
+ auth_status = sia_ses_init(&entity, argc, argv, NULL, uname, NULL, FALSE, NULL);
+ if (auth_status != SIASUCCESS)
+ {
+ syslog(LOG_ERR, "sia_ses_init() failed in osf_check_pass");
+ return -1;
+ }
+
+ if (pw == (struct passwd *) NULL) {
+ return -1;
+ }
+
+ auth_status = sia_ses_authent(sia_collect_null, passwd, entity);
+ if (auth_status != SIASUCCESS)
+ return -1;
+
+ auth_status = sia_ses_estab(sia_collect_null, entity);
+ if (auth_status != SIASUCCESS)
+ {
+ syslog(LOG_WARNING, "sia_ses_estab() failed in osf_check_pass");
+ return -1;
+ }
+
+ auth_status = sia_ses_release(&entity);
+ if (auth_status != SIASUCCESS)
+ {
+ syslog(LOG_ERR, "sia_ses_release() failed in osf_check_pass");
+ return -1;
+ }
+
+ return 0;
+ }
+ #endif /* OSF_AUTH */
Current thread:
- Re: brute force, (continued)
- Re: brute force Christopher Klaus (Jun 04)
- Re: brute force Tom Fitzgerald (Jun 05)
- Re: brute force Alan Brown (Jun 06)
- Re: Linux rlogin hole with libc 5.x Alan Brown (Jun 06)
- Re: Linux rlogin hole with libc 5.x Pablo Idiaquez (Jun 06)
- help TaeJin Hong (Jun 07)
- HP-UX B.10.01 vulnerability Aleph One (Jun 07)
- Strange changes - any ideas? Fred Cohen (Jun 08)
- Re: Strange changes - any ideas? dsiebert () icaen uiowa edu (Jun 09)
- Re: Strange changes - any ideas? Andrew V. Kovalev (Jun 09)
- Digital Unix, daemons and the SIA authentication library. Paul C Leyland (Jun 10)
- Re: Strange changes - any ideas? Darren Reed (Jun 10)
- Vulnerability Database Christopher Klaus (Jun 10)
- Re: brute force Ze'ev Maor (Jun 04)
- Re: brute force simes () tcp co uk (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Paul D. Robertson (Jun 09)