Re: buffer overflows in cracklib?!

[alecm () CRYPTO DIRCON CO UK (Alec Muffett)]

> I just spoke with Alec Muffett, the author of cracklib and he pointed me
> to the new version (2.6) on his homepage:
> http://www.users.dircon.co.uk/~crypto/.  I still see a lot of strcpy's,
> but that particular one is no longer a problem, and I havn't had the time
> to check the whole thing out thoroughly.  CERT is supposed to be releasing
> and advisory about it soon...

Quite; indeed I enclose the posting I have made about it before in
other forums, and have forwarded to (eg) CERT to pass on "as they see fit".

I watch with interest to see what happens.  JANET-CERT have already posted.

In the meantime - yes, there are still a few strcpy's, but I am not up
to rewriting the whole damn thing from scratch in a rush in the wee
hours of the morning and hoping to get it correct - however, fingers
crossed, there should be no avenues for unboundschecked data to leak
into the program and misbehave beyond the capabilities of the code to
control it.

If some clever-clogs *does* find such an attack in the thorough
nitpicking that I expect the new code to receive, I would ask that
they contact me *first*, and give me some time to work on it.

BUGTRAQ may be a full-disclosure list, but it does not have to be a
"shooting your mouth off to prove how very clever you are" list.

This comment is not directed at anyone in particular, I say it merely
to highlight the common courtesy that would have spared my having to
stay up until 3am in the morning getting a patch out.

        - alec  8-)

> Following a report on the BUGTRAQ maillist (having received *no* prior
> warning of this from the author of that message, Grrrrr....) I have
> placed patches and a new distribution of CrackLib - the password-sanity
> enforcement library - on my website at the following URL:
>
>              http://www.users.dircon.co.uk/~crypto/
>
>      MD5-signatures                    filenames
>      --------------                    ---------
>      3933d0b56695f38535a5be3b57ccb60f  cracklib26_small.diff
>      ec0e3714bc95ab2f2352a4438de17e7c  cracklib26_small.diff.asc
>      7181205d70afcf75bb2240678b6be855  cracklib26_small.tgz
>      247ad535f3e84bf586f7c31197ad1774  cracklib26_small.tgz.asc
>
> Please check the MD5 signatures before using, to ensure you have the
> correct software.
>
> These are preliminary patches to fix a security hole in CrackLib v2.5
> which *may* be exploitable to obtain root privileges on machines where
> CrackLib is installed as part of a SUID program, such as "/bin/passwd".
>
> This will also impact (eg) Linux systems where CrackLib is part of the
> PAM installation; where you are using a commercial operating system
> that utilises CrackLib, you are advised to contact your vendor for a patch.
>
> I would appreciate feedback from the security community as to the
> efficacy, completeness, and portability of these patches, to the
> properly-adjusted e-mail address, below; I have tested the patches as
> best I can in the timeframe that I have been given, but one can only
> do so much in four hours flat.
>
>      - alec ("software, rots.")