Bugtraq mailing list archives
Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0
From: Nate Eldredge <neldredge () hmc edu>
Date: Sun, 22 Jul 2001 06:14:25 -0700 (PDT)
On 21 Jul 2001, Dale Southard wrote:
Sshd should probably be constraining its match to the length of the crypt() output rather than the length of the password file entry. [I say ``probably'' here because some systems (AIX) seem to produce null password file hashes when `passwd` is given a null password. If that behavior is due to the underlying crypt() function, then the ``probably'' suggestion I just made yields remote root on those systems.]
What's wrong with just using `strcmp' (i.e. no constraint at all)? After all, what you want to know is just whether the two strings are identical, period. And unless crypt() and /etc/shadow are both broken, it will stop at the right place. I realize it goes against the reflexive "only strn* functions are safe" idea, but that shouldn't substitute for thinking... -- Nate Eldredge neldredge () hmc edu
Current thread:
- URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Stephanie Thomas (Jul 20)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Dan Kaminsky (Jul 20)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Dale Southard (Jul 21)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Nate Eldredge (Jul 23)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Brandon S. Allbery KF8NH (Jul 23)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Dale Southard (Jul 21)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Michal Zalewski (Jul 21)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 j (Jul 21)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Trond Eivind Glomsrød (Jul 23)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Jen B. (Jul 21)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Marcus Meissner (Jul 21)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Florian Weimer (Jul 23)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Thomas Roessler (Jul 23)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Lucian Hudin (Jul 23)
- RE: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Sports (Jul 24)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Thomas Roessler (Jul 23)
(Thread continues...)
- Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 Dan Kaminsky (Jul 20)