Bugtraq mailing list archives
Re: buffer overflows in cracklib?!
From: rickb () IAW ON CA (Rick Byers)
Date: Mon, 15 Dec 1997 10:23:01 -0500
I just spoke with Alec Muffett, the author of cracklib and he pointed me to the new version (2.6) on his homepage: http://www.users.dircon.co.uk/~crypto/. I still see a lot of strcpy's, but that particular one is no longer a problem, and I havn't had the time to check the whole thing out thoroughly. CERT is supposed to be releasing and advisory about it soon... Rick On Sun, 14 Dec 1997, Jon Lewis wrote:
While looking at compiling the latest shadow utils with cracklib support, I was kind of surprised when gcc complained about things like: fascist.c:220: warning: passing arg 2 of `strcpy' makes pointer from integer without a cast strcpy in security software...hmm....so I took a look at fascist.c and was pretty surprised to find: char gbuffer[STRINGSIZE]; ... strcpy(gbuffer, Lowercase(pwp->pw_gecos)); STRINGSIZE is defined in cracklib/packer.h:#define STRINGSIZE 256 So...to test this, I used chfn on a Red Hat 4.2 system to set my full-name to a string of about 300+ chars, and tried to change my passwd. $ chfn Changing finger information for jlewis. Password: Name [hmm]: 11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 Office []: Office Phone []: Home Phone []: Finger information changed. $ passwd Changing password for jlewis (current) UNIX password: New UNIX password: Segmentation fault $ I took a look at Aleph One's Smashing the Stack paper, but got nowhere since chfn (at least on RH 4.2) won't let me have control characters in the gecos field. Still, shouldn't cracklib be fixed? I'm not installing it without some sprintf->snprintf mods. ------------------------------------------------------------------ Jon Lewis <jlewis () fdt net> | Unsolicited commercial e-mail will Network Administrator | be proof-read for $199/message. Florida Digital Turnpike | ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
========================================================================= Rick Byers Internet Access Worldwide rickb () iaw on ca System Admin University of Waterloo, Computer Science (905)714-1400 http://www.iaw.on.ca/rickb/ http://www.iaw.on.ca/
Current thread:
- buffer overflows in cracklib?! Jon Lewis (Dec 14)
- Re: buffer overflows in cracklib?! Rick Byers (Dec 15)
- debian pppd chatscript Stephen Hardman (Dec 15)
- Re: debian pppd chatscript TARBY (Dec 16)
- Re: debian pppd chatscript Wichert Akkerman (Dec 16)
- Word Perfect for Linux v7.0.0116 Hans Petter Bieker (Dec 15)
- Re: buffer overflows in cracklib?! Alec Muffett (Dec 15)
- debian pppd chatscript Stephen Hardman (Dec 15)
- Re: buffer overflows in cracklib?! Rick Byers (Dec 15)