Bugtraq mailing list archives
Re: Buffer Overrun / DOS in /bin/passwd (at least Redhat Linux
From: alecm () CRYPTO DIRCON CO UK (Alec Muffett)
Date: Fri, 19 Dec 1997 20:24:41 +0000
I don't have the time to look into this much further, but it definitely looks scarey. I've tried it on 3 machines, and they all produce the same results.
...
[alex@machine /tmp]$ ./pass [alex@machine /tmp]$ chfn -f $BUFF -p $BUFF -h $BUFF -o $BUFF Changing finger information for alex. Password: Finger information changed.
This is an interesting question; "chfn" used to be a horrible security hole on BSD back in the '80s permitting all sorts of fun and games.... Judicious adjustment of the length of the GECOS field permitted people to tickle a bug in the way password records were processed, such that it appeared to programs doing "getpwnam()" and family that an extra line: :: ...or similar existed in the password file, and so doing % su "" ...allowed a user to "su" to the <empty username> with <empty uid == 0> IE: the equivalent of "su root". It is the memory of this sort of shenanigans that drove me to issuing a patch for CrackLib so quickly in case similar was possible.
[alex@machine /tmp]$ wc /etc/passwd 26 29 2068 /etc/passwd ** At this point, the passwd entry for 'alex' is >48k long **
I found similar syndromes manually extending my GECOS field under Solaris using EMACS, when testinbg the CrackLib patch; anything over 1Kb total record size, perhaps smaller, and my username ``vanished''. The question, I suppose, is: whose fault is it? At what point does a password file entry become "ridiculously long"? My take on this is that allowing users to have "chfn" or any similar function which modifies the password file is a "bad thing" (yes, in certain circumstances, I extend this theory to "/bin/passwd" too) and that the response of sysadmins to users whining about lack of "chfn" (which you deleted for security reasons) should be expressed by staring them in the eye, saying "hard cheese", and fingering a cricket bat ominously... - alec
Current thread:
- Re: CGI security hole in EWS (Excite for Web Servers), (continued)
- Re: CGI security hole in EWS (Excite for Web Servers) carson () tla org (Dec 18)
- Re: SNI-22: RADIUS Advisory Thom Henderson (Dec 18)
- mIRC Worm Aleph One (Dec 18)
- Re: mIRC Worm Nigel Reed (Dec 18)
- Re: mIRC Worm Paul Wilson (Dec 18)
- StackGuard: Automatic Protection From Stack-smashing Attacks Crispin Cowan (Dec 18)
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Tim Newsham (Dec 19)
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Theo de Raadt (Dec 19)
- Xotpcalc, version 1.0 Ivan Nejgebauer (Dec 19)
- Buffer Overrun / DOS in /bin/passwd (at least Redhat Linux 4.2) Alex Mottram (Dec 19)
- Re: Buffer Overrun / DOS in /bin/passwd (at least Redhat Linux Alec Muffett (Dec 19)
- f00f.patch (fwd) Ejovi (Dec 19)
- Re: Buffer Overrun / DOS in /bin/passwd (at least Redhat Linux Theo de Raadt (Dec 19)
- Administratrivia Aleph One (Dec 19)