Bugtraq mailing list archives

Re: buffer overflows in cracklib?!

From: rickb () IAW ON CA (Rick Byers)
Date: Mon, 15 Dec 1997 10:23:01 -0500


I just spoke with Alec Muffett, the author of cracklib and he pointed me
to the new version (2.6) on his homepage:
http://www.users.dircon.co.uk/~crypto/.  I still see a lot of strcpy's,
but that particular one is no longer a problem, and I havn't had the time
to check the whole thing out thoroughly.  CERT is supposed to be releasing
and advisory about it soon...
        Rick

On Sun, 14 Dec 1997, Jon Lewis wrote:

While looking at compiling the latest shadow utils with cracklib support,
I was kind of surprised when gcc complained about things like:

fascist.c:220: warning: passing arg 2 of `strcpy' makes pointer from
integer without a cast

strcpy in security software...hmm....so I took a look at fascist.c and was
pretty surprised to find:

char gbuffer[STRINGSIZE];
...
strcpy(gbuffer, Lowercase(pwp->pw_gecos));

STRINGSIZE is defined in cracklib/packer.h:#define STRINGSIZE    256

So...to test this, I used chfn on a Red Hat 4.2 system to set my full-name
to a string of about 300+ chars, and tried to change my passwd.

$ chfn
Changing finger information for jlewis.
Password:
Name [hmm]:
11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
Office []:
Office Phone []:
Home Phone []:

Finger information changed.
$ passwd
Changing password for jlewis
(current) UNIX password:
New UNIX password:
Segmentation fault
$

I took a look at Aleph One's Smashing the Stack paper, but got nowhere
since chfn (at least on RH 4.2) won't let me have control characters in
the gecos field.  Still, shouldn't cracklib be fixed?  I'm not installing
it without some sprintf->snprintf mods.

------------------------------------------------------------------
 Jon Lewis <jlewis () fdt net>  |  Unsolicited commercial e-mail will
 Network Administrator       |  be proof-read for $199/message.
 Florida Digital Turnpike    |
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____


=========================================================================
Rick Byers                                      Internet Access Worldwide
rickb () iaw on ca                                              System Admin
University of Waterloo, Computer Science                    (905)714-1400
http://www.iaw.on.ca/rickb/                         http://www.iaw.on.ca/

Current thread:

buffer overflows in cracklib?! Jon Lewis (Dec 14)
- Re: buffer overflows in cracklib?! Rick Byers (Dec 15)
  - debian pppd chatscript Stephen Hardman (Dec 15)
    - Re: debian pppd chatscript TARBY (Dec 16)
    - Re: debian pppd chatscript Wichert Akkerman (Dec 16)
  - Word Perfect for Linux v7.0.0116 Hans Petter Bieker (Dec 15)
  - Re: buffer overflows in cracklib?! Alec Muffett (Dec 15)