Re: buffer overflows in cracklib?!

Rick Byers (rickb@IAW.ON.CA)
Mon, 15 Dec 1997 10:23:01 -0500

I just spoke with Alec Muffett, the author of cracklib and he pointed me
to the new version (2.6) on his homepage:
http://www.users.dircon.co.uk/~crypto/. I still see a lot of strcpy's,
but that particular one is no longer a problem, and I havn't had the time
to check the whole thing out thoroughly. CERT is supposed to be releasing
and advisory about it soon...
Rick

On Sun, 14 Dec 1997, Jon Lewis wrote:

> While looking at compiling the latest shadow utils with cracklib support,
> I was kind of surprised when gcc complained about things like:
>
> fascist.c:220: warning: passing arg 2 of `strcpy' makes pointer from
> integer without a cast
>
> strcpy in security software...hmm....so I took a look at fascist.c and was
> pretty surprised to find:
>
> char gbuffer[STRINGSIZE];
> ...
> strcpy(gbuffer, Lowercase(pwp->pw_gecos));
>
> STRINGSIZE is defined in cracklib/packer.h:#define STRINGSIZE 256
>
> So...to test this, I used chfn on a Red Hat 4.2 system to set my full-name
> to a string of about 300+ chars, and tried to change my passwd.
>
> $ chfn
> Changing finger information for jlewis.
> Password:
> Name [hmm]:
> 11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
> Office []:
> Office Phone []:
> Home Phone []:
>
> Finger information changed.
> $ passwd
> Changing password for jlewis
> (current) UNIX password:
> New UNIX password:
> Segmentation fault
> $
>
> I took a look at Aleph One's Smashing the Stack paper, but got nowhere
> since chfn (at least on RH 4.2) won't let me have control characters in
> the gecos field. Still, shouldn't cracklib be fixed? I'm not installing
> it without some sprintf->snprintf mods.
>
> ------------------------------------------------------------------
> Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will
> Network Administrator | be proof-read for $199/message.
> Florida Digital Turnpike |
> ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
>

=========================================================================
Rick Byers Internet Access Worldwide
rickb@iaw.on.ca System Admin
University of Waterloo, Computer Science (905)714-1400
http://www.iaw.on.ca/rickb/ http://www.iaw.on.ca/