Re: buffer overflows in cracklib?!

Alec Muffett (alecm@CRYPTO.DIRCON.CO.UK)
Mon, 15 Dec 1997 20:59:26 +0000

>I just spoke with Alec Muffett, the author of cracklib and he pointed me
>to the new version (2.6) on his homepage:
>http://www.users.dircon.co.uk/~crypto/. I still see a lot of strcpy's,
>but that particular one is no longer a problem, and I havn't had the time
>to check the whole thing out thoroughly. CERT is supposed to be releasing
>and advisory about it soon...

Quite; indeed I enclose the posting I have made about it before in
other forums, and have forwarded to (eg) CERT to pass on "as they see fit".

I watch with interest to see what happens. JANET-CERT have already posted.

In the meantime - yes, there are still a few strcpy's, but I am not up
to rewriting the whole damn thing from scratch in a rush in the wee
hours of the morning and hoping to get it correct - however, fingers
crossed, there should be no avenues for unboundschecked data to leak
into the program and misbehave beyond the capabilities of the code to
control it.

If some clever-clogs *does* find such an attack in the thorough
nitpicking that I expect the new code to receive, I would ask that
they contact me *first*, and give me some time to work on it.

BUGTRAQ may be a full-disclosure list, but it does not have to be a
"shooting your mouth off to prove how very clever you are" list.

This comment is not directed at anyone in particular, I say it merely
to highlight the common courtesy that would have spared my having to
stay up until 3am in the morning getting a patch out.

- alec 8-)

>Following a report on the BUGTRAQ maillist (having received *no* prior
>warning of this from the author of that message, Grrrrr....) I have
>placed patches and a new distribution of CrackLib - the password-sanity
>enforcement library - on my website at the following URL:
>
> http://www.users.dircon.co.uk/~crypto/
>
> MD5-signatures filenames
> -------------- ---------
> 3933d0b56695f38535a5be3b57ccb60f cracklib26_small.diff
> ec0e3714bc95ab2f2352a4438de17e7c cracklib26_small.diff.asc
> 7181205d70afcf75bb2240678b6be855 cracklib26_small.tgz
> 247ad535f3e84bf586f7c31197ad1774 cracklib26_small.tgz.asc
>
>Please check the MD5 signatures before using, to ensure you have the
>correct software.
>
>These are preliminary patches to fix a security hole in CrackLib v2.5
>which *may* be exploitable to obtain root privileges on machines where
>CrackLib is installed as part of a SUID program, such as "/bin/passwd".
>
>This will also impact (eg) Linux systems where CrackLib is part of the
>PAM installation; where you are using a commercial operating system
>that utilises CrackLib, you are advised to contact your vendor for a patch.
>
>I would appreciate feedback from the security community as to the
>efficacy, completeness, and portability of these patches, to the
>properly-adjusted e-mail address, below; I have tested the patches as
>best I can in the timeframe that I have been given, but one can only
>do so much in four hours flat.
>
> - alec ("software, rots.")