[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] LOL, stupid calife maintainer - this can't be true

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] LOL, stupid calife maintainer - this can't be true
From: "DownBload / Illegal Instruction Labs" <downbload@xxxxxxxxxxx>
Date: Sat, 28 Feb 2004 14:18:20 +0100

Hi,

This can't be true... Imagine this - there is one programmer who doesn't know how to write a secure code (in fact, there are many of them, but I will give you just one example). He doesn't know anything about security, so he decided to write a suid-root application (good choice). Name of that app. is calife (http://www.freshports.org/security/calife/). Name of that "programmer" is Ollivier Robert. After few minutes of code audit, I found a simple-plain-stupid strcpy() in authentication process (check vuln-description here: http://www.securityfocus.com/archive/1/355510/2004-02-25/2004-03-02/0). I didn't contact him before bugtraq and now he is mad on me...and he said this:

roberto:
-------------------------------------------------------------------------------------
Fix a potential security problem on Linux/glibc whose getpass(3) apparently
fails with very long passwords leading to a segfault. It may be exploitable.

FreeBSD is *not* vulnerable.

No thanks to: the jerk who posted on bugtraq w/o mailing me beforehand.
-------------------------------------------------------------------------------------

STFU!!! That isn't linux glibc security problem, there is nothing wrong with getpass(). DON'T BLAME LINUX GLIBC FOR YOUR LAME PROGRAMMING AND LACK OF SECURITY KNOWLEDGE. BTW: I wouldn't allow you to code even hello world program.

Vulnerable code ("glibc problem" ;-) ->
/root/calife-2.8.4c/db.c
------------------------
       ...
       char    got_pass = 0;
       char    * pt_pass, * pt_enc,
               * user_pass, * enc_pass, salt [10];

       user_pass = (char *) xalloc (l_size);
       enc_pass = (char *) xalloc (l_size);
       ...
       for ( i = 0; i < 3; i ++ )
       {
           pt_pass = (char *) getpass ("Password:");
           memset (user_pass, '\0', l_size);
           strcpy (user_pass, pt_pass); // <- BAD CODE
           pt_enc = (char *) crypt (user_pass, calife->pw_passwd);
           memset (enc_pass, '\0', l_size);
           strcpy (enc_pass, pt_enc);
       }
       ...
       free (user_pass);    // <-  FUN CODE ;-)
       free (enc_pass);     // <-  FUN CODE ;-)
       ...

------------------------

My advise - DON'T USE CALIFE - it is VERY buggy - use sudo or super insted.

Bye.

_________________________________________________________________ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] LOL, stupid calife maintainer - this can't be true
  - From: Timothy Demulder
- Re: [Full-Disclosure] LOL, stupid calife maintainer - this can't be true
  - From: mescsa

Prev by Date: [Full-Disclosure] Re: Knocking Microsoft
Next by Date: RE: [Full-Disclosure] Fake Email
Previous by thread: [Full-Disclosure] Smae stupid little Zone Alarm Pro trick!
Next by thread: Re: [Full-Disclosure] LOL, stupid calife maintainer - this can't be true
Index(es):
- Date
- Thread