Vulnerability Development mailing list archives
[kiss from HeliSec]: fancylogin : vulnerable or not?
From: kiss <NIKEBOY () RETEMAIL ES>
Date: Fri, 9 Mar 2001 23:22:33 +0100
i have been analising fancylogin's sources, and have found some points that could lead to a vulnerability in certain conditions. here is the first one: if ((user = authenticated (username, password, rmthost))!=NULL) { /* * scramble password so that it can't be read out of the * core in any circumstances */ int i; for (i=0;i<sizeof(password);i++) password[i]=rand()%256; break; } else draw_faillogon (); the "scrambling" is weak since rand() is used without a seed, so all numbers that it generates are completely predectible. i dont know how to core dump the program at that point, anyways. the following is a classic buffer overflow, that can be exploited ONLY if we use a theme with fancylogin that takes about 150 chars as login's input (default just takes 20) struct passwd * authenticated (char *username, char *password, char *rmthost) { struct passwd *passwd_entry; char errormessage [__MAX_STR_LEN__]; int x; ................... /* is the user known to the system? */ if ((passwd_entry = getpwnam (username)) == NULL) { sprintf (errormessage, "%s is not known to the system!", username); log_message (49998, errormessage); log_message (49999, errormessage); return NULL; } "-r" parameter is also vulnerable to buffer overflow, as seen here: int main (int argc, char **argv, char **env) { char username[__LEN_USERNAME__+1]=""; char password[__LEN_PASSWORD__+1]=""; char errormsg[__MAX_STR_LEN__]; char rmthost[__MAX_STR_LEN__]; ............................ rmthost[0]='\0'; if ((argc>=3) && ((strcmp(argv[1], "-r")==0) || (strcmp(argv[1], "-h") ==0))) strcpy (rmthost, argv[2]); it's not very dangerous since fancylogin is not setuid. i dont think this can be remotely explitable, either. _kiss_ from HeliSec
Current thread:
- [kiss from HeliSec]: fancylogin : vulnerable or not? kiss (Mar 09)
- Re: [kiss from HeliSec]: fancylogin : vulnerable or not? Martin Macok (Mar 17)