[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Shadow Passwords

John Henders writes:
>Ian Jackson <ian@chiark.chu.cam.ac.uk> writes:

>>Certainly before this hole is fixed a system with a shadow `login'
>>is/was definitely much more vulnerable than one without shadow
>>passwords at all.
>Actually, this has yet to be proven. No exploit script has been
>posted to show that login is vulnerable. The shadow login program
>does an isgraph() on all the characters entered,

!?!  Avoiding buffer overruns are the First Thing when writing stable
code, never mind something with security implications.  I've seen the
remark someone made about isgraph(3) before, and I'm not at all

>so, assuming there's no bugs in linux's isgraph, it would be a fair
>trick to create executable code from just the set of printable ascii
>characters. That would mean that the worst you could expect is for
>login to dump core.

* Have you ever seen the `polyglot' program which manages to contain
  8086 code to print a `hello' message just using printable
  characters, under the additional constraint of doing the same in
  half a dozen languages?

* Have you ever heard of the MSDOS `deboo' program which is (a)
  written in 8086 machine language and (b) consists entirely of
  printable characters?

Granted, we're using 80386 and not 8086 here, but I think there are
reasonable grounds to be nervous.

(Coredumping when someone types in input that is too long is
unacceptable in any case.)

>If people issued a security alert for every piece of code running on
>linuux that didn't do bounds checking on input the security list
>would be unusable.

However, we might end up with a more trustable system.  Buffer
overruns are easy enough to avoid...

Richard Kettlewell
http://www.elmail.co.uk/staff/richard/                    richard@uk.geeks.org

Eat a live toad before breakfast and nothing worse will happen to you all day!

Reply to: