MUSCLE smarttools-rsa-0.4.0 pam.c sprintf buffer overflow

Tue, 19 Dec 2000 20:08:21 -0800 

Hello,

A possible buffer overflow has been pointed out to me in smarttools.  I
suggest checking the strlen of sUser and restricting it to 8 before using
the sprintf.

Best Regards,
Dave

>Date: Tue, 19 Dec 2000 06:53:04 +0100
>From: Toni Andjelkovic <[EMAIL PROTECTED]>
>To: David Corcoran <[EMAIL PROTECTED]>
>Subject: smarttools-rsa-0.4.0 pam.c sprintf buffer overflow
>Mime-Version: 1.0
>User-Agent: Mutt/1.2.5i
>Organization: perl -e '$x=ord(I);map{print
>chr($x+=$_)}@{[-8,13,6,-1,-51,41,37,-8,9,3,-5,-12,19,-11,6,-1,5,0,6,-6,1,-15,8,-
>8,-69,39,38,-11,-26,-62]}'
>
>hi,
>
>i think there's a possible buffer overflow in the pam module
>contained in the smarttools-rsa-0.4.0 package.
>
>the pam_sm_authenticate() routine in pam.c has
>
>  char KpubFile[100];
>  [...]
>  char *sUser;
>  [...]
>  pam_get_user( pamh, &sUser, "Login: " );
>  sprintf( KpubFile, "%s%s%s", "/home/", sUser, "/.muscle/public.key" );
>  [...]
>
>KpubFile is allocated on the stack with a fixed length.
>
>pam_get_user() will prompt for a username and set
>the "sUser" pointer by reading it via the conversion
>function. however, pam_get_user() does not check
>or modify the length of the returned username, so
>"sUser" might point to a string of arbitrary length.
>in the next step, the contents of "sUser" is copied
>over KpubFile, possibly overwriting the stack if
>the username is too long.
>
>    snprintf( KpubFile, sizeof(KpubFile), "%s%s%s", "/home/", sUser,
>"/.muscle/public.key" );
>
>this could be a security problem, as someone might
>try to obtain root privileges by overwriting the stack
>return address and inserting executable code within KpubFile.
>
>cheers,
>--
>Toni Andjelkovic
>[EMAIL PROTECTED]
>

David Corcoran                                  Purdue University
1008 Cherry Lane
West Lafayette, IN 47906
[EMAIL PROTECTED]
765 - 427 - 5147                                http://www.linuxnet.com


***************************************************************
Linux Smart Card Developers - M.U.S.C.L.E.
(Movement for the Use of Smart Cards in a Linux Environment)
http://www.linuxnet.com/smartcard/index.html
***************************************************************

Reply via email to