From bbense@telemark.stanford.edu Mon Mar 23 15:52:19 1998 Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id PAA24284 for ; Mon, 23 Mar 1998 15:52:19 -0500 Received: from telemark.Stanford.EDU by MIT.EDU with SMTP id AA19104; Mon, 23 Mar 98 15:52:52 EST Received: by telemark.stanford.edu (8.9.0.Beta1/8.7.3) id MAA19536; Mon, 23 Mar 1998 12:52:15 -0800 (PST) Message-Id: Date: Mon, 23 Mar 1998 12:52:15 -0800 (PST) From: Booker Bense To: krb5-bugs@MIT.EDU Subject: Buffer overun in Version 1.0.5 appl/bsd/login.c >Number: 571 >Category: krb5-appl >Synopsis: Buffer overun in Version 1.0.5 appl/bsd/login.c >Confidential: no >Severity: serious >Priority: medium >Responsible: tlyu >State: closed >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Mon Mar 23 15:53:00 EST 1998 >Last-Modified: Sat May 16 17:28:00 EDT 1998 >Originator: >Organization: >Release: >Environment: >Description: >How-To-Repeat: >Fix: >Audit-Trail: Responsible-Changed-From-To: gnats-admin->tlyu Responsible-Changed-By: tlyu Responsible-Changed-When: Fri Mar 27 19:49:20 1998 Responsible-Changed-Why: Refiled. State-Changed-From-To: open-analyzed State-Changed-By: tlyu State-Changed-When: Fri Mar 27 19:49:39 1998 State-Changed-Why: This doesn't look too serious, though still not certain if it's exploitable. State-Changed-From-To: analyzed-closed State-Changed-By: tlyu State-Changed-When: Sat May 16 17:26:58 1998 State-Changed-Why: Fixed src/appl/bsd/login.c 5.70 From: Tom Yu To: bbense@networking.stanford.edu Cc: krb5-bugs@MIT.EDU Subject: Re: krb5-appl/571: Buffer overun in Version 1.0.5 appl/bsd/login.c Date: Sat, 16 May 1998 17:26:51 -0400 Thanks for the report; I've fixed the strcpy invocations that you've noted, as well as a few others. Note that strncpy by itself is not safe, as it can leave off a terminating nul under some conditions; I've therefore added explicit nul terminations follow calls to strncpy. ---Tom >Unformatted: - Forgive me if I'm being overly paranoid, but I was poking around in login.c and found these potential buffer overruns. Exploiting them might be difficult, but they are there. - Booker c. Bense *** login.c Mon Mar 23 12:44:09 1998 --- login.c~ Fri Feb 6 19:41:18 1998 *************** *** 487,493 **** unlink(ccfile+strlen("FILE:")); } else { /* note it correctly */ ! strncpy(ccfile, getenv(KRB5_ENV_CCNAME),sizeof(ccfile)); } #ifdef KRB4_GET_TICKETS --- 487,493 ---- unlink(ccfile+strlen("FILE:")); } else { /* note it correctly */ ! strcpy(ccfile, getenv(KRB5_ENV_CCNAME)); } #ifdef KRB4_GET_TICKETS *************** *** 617,623 **** } else { /* get_name pulls out just the name not the type */ ! strncpy(ccfile, krb5_cc_get_name(kcontext, ccache),sizeof(ccfile)); krbflag = got_v5_tickets = 1; return 1; } --- 617,623 ---- } else { /* get_name pulls out just the name not the type */ ! strcpy(ccfile, krb5_cc_get_name(kcontext, ccache)); krbflag = got_v5_tickets = 1; return 1; } *************** *** 708,714 **** return 0; } got_v4_tickets = 1; ! strncpy(tkfile, tkt_string(),sizeof(tkfile)); return 1; } #endif --- 708,714 ---- return 0; } got_v4_tickets = 1; ! strcpy(tkfile, tkt_string()); return 1; } #endif