Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0

From: Nate Eldredge <neldredge () hmc edu>
Date: Sun, 22 Jul 2001 06:14:25 -0700 (PDT)
On 21 Jul 2001, Dale Southard wrote:


Sshd should probably be constraining its match to the length of the
crypt() output rather than the length of the password file entry.  [I
say ``probably'' here because some systems (AIX) seem to produce null
password file hashes when `passwd` is given a null password.  If that
behavior is due to the underlying crypt() function, then the
``probably'' suggestion I just made yields remote root on those
systems.]


What's wrong with just using `strcmp' (i.e. no constraint at all)?  After
all, what you want to know is just whether the two strings are identical,
period.  And unless crypt() and /etc/shadow are both broken, it will stop 
at the right place.  I realize it goes against the reflexive "only strn*
functions are safe" idea, but that shouldn't substitute for thinking...

-- 

Nate Eldredge
neldredge () hmc edu
Previous By Date Next
Previous By Thread Next

Current thread: