Hello, A possible buffer overflow has been pointed out to me in smarttools. I suggest checking the strlen of sUser and restricting it to 8 before using the sprintf. Best Regards, Dave >Date: Tue, 19 Dec 2000 06:53:04 +0100 >From: Toni Andjelkovic <[EMAIL PROTECTED]> >To: David Corcoran <[EMAIL PROTECTED]> >Subject: smarttools-rsa-0.4.0 pam.c sprintf buffer overflow >Mime-Version: 1.0 >User-Agent: Mutt/1.2.5i >Organization: perl -e '$x=ord(I);map{print >chr($x+=$_)}@{[-8,13,6,-1,-51,41,37,-8,9,3,-5,-12,19,-11,6,-1,5,0,6,-6,1,-15,8,- >8,-69,39,38,-11,-26,-62]}' > >hi, > >i think there's a possible buffer overflow in the pam module >contained in the smarttools-rsa-0.4.0 package. > >the pam_sm_authenticate() routine in pam.c has > > char KpubFile[100]; > [...] > char *sUser; > [...] > pam_get_user( pamh, &sUser, "Login: " ); > sprintf( KpubFile, "%s%s%s", "/home/", sUser, "/.muscle/public.key" ); > [...] > >KpubFile is allocated on the stack with a fixed length. > >pam_get_user() will prompt for a username and set >the "sUser" pointer by reading it via the conversion >function. however, pam_get_user() does not check >or modify the length of the returned username, so >"sUser" might point to a string of arbitrary length. >in the next step, the contents of "sUser" is copied >over KpubFile, possibly overwriting the stack if >the username is too long. > > snprintf( KpubFile, sizeof(KpubFile), "%s%s%s", "/home/", sUser, >"/.muscle/public.key" ); > >this could be a security problem, as someone might >try to obtain root privileges by overwriting the stack >return address and inserting executable code within KpubFile. > >cheers, >-- >Toni Andjelkovic >[EMAIL PROTECTED] > David Corcoran Purdue University 1008 Cherry Lane West Lafayette, IN 47906 [EMAIL PROTECTED] 765 - 427 - 5147 http://www.linuxnet.com *************************************************************** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***************************************************************