lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040227164934.13688.qmail@www.securityfocus.com>
Date: 27 Feb 2004 16:49:34 -0000
From: Ollivier Robert <roberto@...tia.freenix.fr>
To: bugtraq@...urityfocus.com
Subject: Re: Calife heap corrupt / potential local root exploit


In-Reply-To: <20040227091921.26210.qmail@....securityfocus.com>

>Calife heap corrupt / potential local root exploit
>--------------------------------------------------
>by Leon Juranic a.k.a DownBload <downbload@...mail.com> / II-Labs
>
>
>Version affected(tested): calife-2.8.4c and calife-2.8.5
>- calife can be found at packages.debian.org, FreeBSD 5.0 (security), ...

Thanks you for taking the time to contact me before sending such a mail to Bugtraq.  It is always nice to deal with such nice people [NOT!]

>[downbload@...alhost downbload]$ calife luser
>Password: "A" x 3000
>Password: real_user_password
>Segmentation fault
>[downbload@...alhost downbload]$

Interesting, on which plateform?  I just tried that on FreeBSD 4.9, 5.2 and could not reproduce.

On Linux/Debian, it does segfault. glibc problem?

>- "A" x 3000 will corrupt the heap.
>- If real_user_password isn't correct, calife will do exit()
>- If attacker wants to exploit calife, there must be at least one user "available" in /etc/calife.auth

Do you have such an exploit?  I'd like to see it.

>            pt_pass = (char *) getpass ("Password:");
>            memset (user_pass, '\0', l_size);
>            strcpy (user_pass, pt_pass); // <- BAD CODE

I could have used strlcpy but I assumed (and my reading of the FreeBSD source code confirm it) that getpass(3) was doing the size check.

In FreeBSD, it seems not possible to overflow that as the code verify the length.

I'll release 2.8.6 today.

Courtesy seems to go down the gutters these days apparently.

Ollivier, pissed off.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ