From blackshell@hushmail.com Thu Jan 3 01:24:14 2002 From: blackshell@hushmail.com To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org, vuln-dev@securityfocus.com Date: Wed, 2 Jan 2002 01:25:51 -0800 Subject: [VulnWatch] blackshell3: multiple pwck/grpck vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- ##################################################### #--blackshell security advisory no3--# # #--IRIX grpck/pwck LOCAL exploit--# # #--Linux grpck/pwck LOCAL exploit--# # ##################################################### ######################## vendor details & history ######################## www.sgi.com www.redhat.com this is not OS specific no history for this specific app ################## details of exploit ################## it seems as if this effects every single OS that uses the *ck family for password authentication. this is a classic buffer overflow of the binaries which are located in the /usr/sbin/* dir. they are both in the same family of applications and both are susiptible to this which is just a bad strcpy() call which copies the first arg passed onto another string resulting in a sigsegv. advanced details: IRIX: # /usr/sbin/pwck `perl -e 'print "X"x3000'` Segmentation Fault # # /usr/sbin/grpck `perl -e 'print "X"x3000'` Segmentation Fault # Linux (redhat): # /usr/sbin/pwck `perl -e 'print "X"x3000'` Segmentation Fault (core dumped) # # /usr/sbin/grpck `perl -e 'print "X"x3000'` Segmentation Fault (core dumped) # we found one box had this suid as default on the irix test box and we were told it comes as suid on redhat 6.* < prior. ### fix ### strcpy should be replaced with the bounds checking strncpy(). #### note #### this test was conducted on IRIX 6.5 box, and a redhat 7.2 box. under no circumstances are we liable for any misuse of this information ######## hi's to: ######## cr_, Markus@obsd blackshell dev team, #!blackshell contributors and anyone who over the years has helped us make us what we are. ####### contact ####### blackshell@hushmail.com -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wl8EARECAB8FAjwy1LMYHGJsYWNrc2hlbGxAaHVzaG1haWwuY29tAAoJED2VGGGCU8ut DLMAoIKMheJtbAKVXZEqb6LNMtMUvrBxAKCJY4uqYi6DxXfit8SrtFnkZI1Kow== =3RvC -----END PGP SIGNATURE-----