[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Minor Security Hole (ITS#232)
Full_Name: Christian Forster
Version: 1.2.4
OS: Linux
URL:
Submission from: (NULL) (131.188.28.42)
It seems like that there is a minor security hole in the file
libraries/liblutil/passwd.c:
The function lutil_passwd(...) does a strncmp() on binary patterns
(salted-md5 and salted-sha1 hashes).
So, if an intruder has access to the stored password hashes, he can
look for those that start with a zero byte. Now it is very easy for him to
construct a random string (=password), that produces another hash (in
conjunction with the corresponding salt), that starts with a zero byte, too.
Strncmp() considers both hashes as equal, due to the leading zero byte!
Regards,
Christian Forster
Here's the fix:
--- ldap/libraries/liblutil/passwd.c Wed Jan 20 01:04:51 1999
+++ ldap.patched/libraries/liblutil/passwd.c Thu Jul 15 18:08:43 1999
@@ -98,7 +98,7 @@
lutil_SHA1Final(SHA1digest, &SHA1context);
/* compare */
- rc = strncmp((char *)orig_pass, (char *)SHA1digest,
sizeof(SHA1digest));
+ rc = memcmp((char *)orig_pass, (char *)SHA1digest,
sizeof(SHA1digest));
free(orig_pass);
return(rc);
@@ -128,7 +128,7 @@
lutil_MD5Final(MD5digest, &MD5context);
/* compare */
- rc = strncmp((char *)orig_pass, (char *)MD5digest,
sizeof(MD5digest));
+ rc = memcmp((char *)orig_pass, (char *)MD5digest,
sizeof(MD5digest));
free(orig_pass);
return ( rc );