 | ||||||
| << Previous | INDEX | Search | src | Set bookmark | Go to bookmark | Next >> |
| ||||||
| |||||||||||||||||||||
X-RDate: Mon, 15 Dec 1997 15:22:50 +0500 (ESK) Date: Sun, 14 Dec 1997 03:06:25 -0500 From: Jon Lewis <jlewis@inorganic5.fdt.net> To: BUGTRAQ@NETSPACE.ORG Subject: buffer overflows in cracklib?! While looking at compiling the latest shadow utils with cracklib support, I was kind of surprised when gcc complained about things like: fascist.c:220: warning: passing arg 2 of `strcpy' makes pointer from integer without a cast strcpy in security software...hmm....so I took a look at fascist.c and was pretty surprised to find: char gbuffer[STRINGSIZE]; ... strcpy(gbuffer, Lowercase(pwp->pw_gecos)); STRINGSIZE is defined in cracklib/packer.h:#define STRINGSIZE 256 So...to test this, I used chfn on a Red Hat 4.2 system to set my full-name to a string of about 300+ chars, and tried to change my passwd. $ chfn Changing finger information for jlewis. Password: Name [hmm]: 11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 Office []: Office Phone []: Home Phone []: Finger information changed. $ passwd Changing password for jlewis (current) UNIX password: New UNIX password: Segmentation fault $ I took a look at Aleph One's Smashing the Stack paper, but got nowhere since chfn (at least on RH 4.2) won't let me have control characters in the gecos field. Still, shouldn't cracklib be fixed? I'm not installing it without some sprintf->snprintf mods. ------------------------------------------------------------------ Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will Network Administrator | be proof-read for $199/message. Florida Digital Turnpike | ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
| |||||||||||||||||||||