buffer overflows in cracklib?!

Jon Lewis (jlewis@inorganic5.fdt.net)
Sun, 14 Dec 1997 03:06:25 -0500

While looking at compiling the latest shadow utils with cracklib support,
I was kind of surprised when gcc complained about things like:

fascist.c:220: warning: passing arg 2 of `strcpy' makes pointer from
integer without a cast

strcpy in security software...hmm....so I took a look at fascist.c and was
pretty surprised to find:

char gbuffer[STRINGSIZE];
strcpy(gbuffer, Lowercase(pwp->pw_gecos));

STRINGSIZE is defined in cracklib/packer.h:#define STRINGSIZE 256

So...to test this, I used chfn on a Red Hat 4.2 system to set my full-name
to a string of about 300+ chars, and tried to change my passwd.

$ chfn
Changing finger information for jlewis.
Name [hmm]:
Office []:
Office Phone []:
Home Phone []:

Finger information changed.
$ passwd
Changing password for jlewis
(current) UNIX password:
New UNIX password:
Segmentation fault

I took a look at Aleph One's Smashing the Stack paper, but got nowhere
since chfn (at least on RH 4.2) won't let me have control characters in
the gecos field. Still, shouldn't cracklib be fixed? I'm not installing
it without some sprintf->snprintf mods.

Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will
Network Administrator | be proof-read for $199/message.
Florida Digital Turnpike |
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____