Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

[kiss from HeliSec]: fancylogin : vulnerable or not?

From: kiss <NIKEBOY () RETEMAIL ES>
Date: Fri, 9 Mar 2001 23:22:33 +0100
i have been analising fancylogin's sources, and have found some points that
could lead to a vulnerability in certain conditions.

here is the first one:

         if ((user = authenticated (username, password, rmthost))!=NULL)
                {
                  /*
                   * scramble password so that it can't be read out of the
                   * core in any circumstances
                   */
                  int i;
                  for (i=0;i<sizeof(password);i++)
                    password[i]=rand()%256;
                  break;
                }
              else
                draw_faillogon ();

the "scrambling" is weak since rand() is used without a seed, so all numbers
that it generates are completely predectible. i dont know how to core dump
the program at that point, anyways.

the following is a classic buffer overflow, that can be exploited ONLY if we
use a theme with fancylogin that takes about 150 chars as login's input
(default just takes 20)

        struct passwd *
        authenticated (char *username, char *password, char *rmthost)
        {

          struct passwd *passwd_entry;
          char errormessage [__MAX_STR_LEN__];
          int x;

                ...................

          /* is the user known to the system? */
          if ((passwd_entry = getpwnam (username)) == NULL)
            {
              sprintf (errormessage, "%s is not known to the system!", username);
              log_message (49998, errormessage);
              log_message (49999, errormessage);
              return NULL;
            }

"-r" parameter is also vulnerable to buffer overflow, as seen here:

        int
        main (int argc, char **argv, char **env)
        {
          char username[__LEN_USERNAME__+1]="";
          char password[__LEN_PASSWORD__+1]="";
          char errormsg[__MAX_STR_LEN__];
          char rmthost[__MAX_STR_LEN__];

                ............................

          rmthost[0]='\0';
          if ((argc>=3) && ((strcmp(argv[1], "-r")==0) || (strcmp(argv[1], "-h")                                
        ==0)))
            strcpy (rmthost, argv[2]);

it's not very dangerous since fancylogin is not setuid. i dont think this can
be remotely explitable, either.


                                        _kiss_ from HeliSec
Previous By Date Next
Previous By Thread Next

Current thread: