[Date Prev][Date Next] [Chronological] [Thread] [Top]

Minor Security Hole (ITS#232)

To: openldap-its@OpenLDAP.org
Subject: Minor Security Hole (ITS#232)
From: fo@hawo.stw.uni-erlangen.de
Date: Tue, 20 Jul 1999 10:03:02 GMT

Full_Name: Christian Forster
Version: 1.2.4
OS: Linux
URL: 
Submission from: (NULL) (131.188.28.42)


It seems like that there is a minor security hole in the file 
libraries/liblutil/passwd.c: 

The function lutil_passwd(...) does a strncmp() on binary patterns
(salted-md5 and salted-sha1 hashes).
So, if an intruder has access to the stored password hashes, he can
look for those that start with a zero byte. Now it is very easy for him to
construct a random string (=password), that produces another hash (in 
conjunction with the corresponding salt), that starts with a zero byte, too.
Strncmp() considers both hashes as equal, due to the leading zero byte!

Regards,
	Christian Forster

Here's the fix:

--- ldap/libraries/liblutil/passwd.c    Wed Jan 20 01:04:51 1999
+++ ldap.patched/libraries/liblutil/passwd.c    Thu Jul 15 18:08:43 1999
@@ -98,7 +98,7 @@
                lutil_SHA1Final(SHA1digest, &SHA1context);
  
                /* compare */
-               rc = strncmp((char *)orig_pass, (char *)SHA1digest,
sizeof(SHA1digest));
+               rc = memcmp((char *)orig_pass, (char *)SHA1digest,
sizeof(SHA1digest));
                free(orig_pass);
                return(rc);
 
@@ -128,7 +128,7 @@
                lutil_MD5Final(MD5digest, &MD5context);
 
                /* compare */
-               rc = strncmp((char *)orig_pass, (char *)MD5digest,
sizeof(MD5digest));
+               rc = memcmp((char *)orig_pass, (char *)MD5digest,
sizeof(MD5digest));
                free(orig_pass);
                return ( rc );

Prev by Date: Re: 1.2.4 looping in make tests on FreeBSD 3.2-stable (ITS#230)
Next by Date: Re: Error when configure the build system (ITS#231)
Index(es):
- Chronological
- Thread