Savochkin Andrey Vladimirovich
1997-Jan-27 02:10 UTC
SECURITY: passwd problem (second edition)
[Mod: Other lists removed from the headers. The patch looks okay but I did
not really checked it line by line -- alex]
Last night I sent to redhat-list a letter with a patch. After sleeping a little
I found that my patch is not enough correct.
Now I post the new patch and description of the problem.
In redhat distribution passwd program uses PAM, namely, pam_unix_passwd.so.
This module use cracklib to check password for satisfying several conditions.
I found a bug in cracklib which can cause passwd to perform accesses
to random addresses in the task memory.
This potentially can cause a security problem (and passwd of course
doesn''t change password after performing random accesses).
The quick fix of the problem is disable ''fascist'' mode of
pam_unix_passwd
module in pam.conf.
The patch below should be by applied to cracklib then cracklib should
be rebuild, reinstalled and then pam_unix_passwd should be rebuilded.
Andrey V.
Savochkin
diff -r -u cracklib25_small.orig/cracklib/fascist.c
cracklib25_small/cracklib/fascist.c
--- cracklib25_small.orig/cracklib/fascist.c Mon Jan 27 12:21:13 1997
+++ cracklib25_small/cracklib/fascist.c Mon Jan 27 12:24:28 1997
@@ -223,39 +223,17 @@
wc = 0;
ptr = gbuffer;
- while (*ptr)
+ while (*ptr && wc < STRINGSIZE-1)
{
- while (*ptr && ISSKIP(*ptr))
- {
- ptr++;
- }
-
- if (ptr != gbuffer)
- {
- ptr[-1] = ''\0'';
- }
-
+ while (*ptr && ISSKIP(*ptr)) ptr++;
+ if (!*ptr) break;
uwords[wc++] = ptr;
-
- if (wc == STRINGSIZE)
- {
- uwords[--wc] = (char *) 0; /* to hell with it */
- break;
- } else
- {
- uwords[wc] = (char *) 0;
- }
-
- while (*ptr && !ISSKIP(*ptr))
- {
- ptr++;
- }
-
- if (*ptr)
- {
- *(ptr++) = ''\0'';
- }
+ while (*ptr && !ISSKIP(*ptr)) ptr++;
+ if(*ptr) *ptr++ = ''\0'';
}
+ if (!wc) return ((char *) 0);
+ uwords[wc] = (char *) 0;
+
#ifdef DEBUG
for (i = 0; uwords[i]; i++)
{
Hello, it seems that you can kill not only inetd by sending SYN, RST (see previous discussion). See this log.. pay your attention to time marks (ip addresses changed) -------------------------- cut here ---------------------------- 11:37:48> telnet somewhere.in.the.world 25 Trying 1.2.3.4... Connected to somewhere.in.the.world. Escape character is ''^]''. ^] telnet> quit Connection closed. 11:37:48> /home/vadim/C/inkill -p 25 somewhere.in.the.world 25 Source host: 10.11.12.13 Destination host: 1.2.3.4 Destination port: 25 Sending SYN packet... Done Sending RST packet... Done 11:37:48> telnet somewhere.in.the.world 25 Trying 1.2.3.4... telnet: Unable to connect to remote host: Connection refused 11:37:49> telnet somewhere.in.the.world 25 Trying 1.2.3.4... telnet: Unable to connect to remote host: Connection refused 11:37:49> telnet somewhere.in.the.world 25 Trying 1.2.3.4... Connected to somewhere.in.the.world. Escape character is ''^]''. ^] telnet> quit Connection closed. ------------------------------------------------------------------------ Interesting behavior, isn''t it? Sendmail''s version was 8.8.2. If attacker will sent SYN and RST packets every 3 seconds, he can completely disable SMTP... So it seems that problem not only in inetd or sendmail, but in kernel too, because the same version of sendmail works fine under FreeBSD. I have no Linux at this time, so I can''t research the problem by myself. Any ideas? Best regards, Vadim. -------------------------------------------------------------------------- Vadim Kolontsov SysAdm/Programmer Tver Regional Center of New Information Technologies Networks Lab
> Interesting behavior, isn''t it? Sendmail''s version was 8.8.2. If > attacker will sent SYN and RST packets every 3 seconds, he can completely > disable SMTP...sendmail 8.8.5 makes a "sleep(5)", if the "accept()" fails. That''s also a possibility to email-exchange very hard with relatively few packets. Florian La Roche