[attic bug report nr. 1] While fooling around a little with NIS/YP (didn't get it completely working...) I ran into a bug in the imapd and ipop3d that come with slackware 3.4 (if you install the pine package). Earlier slackware versions will problably NOT suffer from this bug, because they did not include shadowing. When fed an unknown username, imapd and ipop3d will dump core: [root@koek] /# telnet zopie 110 Trying 10.10.13.1... Connected to zopie.attic.vuurwerk.nl. Escape character is '^]'. +OK zopie.attic.vuurwerk.nl POP3 3.3(20) w/IMAP2 client (Comments to MRC@CAC.Washington.EDU) at Sun, 1 Feb 1998 23:45:06 +0100 (CET) user root +OK User name accepted, password please pass linux [this is not the correct password] -ERR Bad login user john [i have no user named john] +OK User name accepted, password please pass doe Connection closed by foreign host. At this point ipop3d coredumps in /core: [root@zopie] /# strings core | grep -A3 root root [crypted pw here] 10244 Sun Feb 1 23:45:15 1998 -- root:[crypted pw here]:10244:0::::: halt:*:9797:0::::: operator:*:9797:0::::: shutdown:*:9797:0::::: [looks like my /etc/shadow ;(] -- root:[crypted pw here]:10244:0::::: john koek.attic.vuurwerk.nl PASS [I removed the pw because it's my own ;)] Same goes for imapd: Connected to zopie.attic.vuurwerk.nl. * OK zopie.attic.vuurwerk.nl IMAP2bis Service 7.8(100) at Sun, 1 Feb 1998 23:53:00 +0100 (CET) A001 LOGIN root linux A001 NO Bad LOGIN user name and/or password A002 LOGIN john doe Connection closed by foreign host. Doing the strings/grep again gives about the same result. Running this under strace shows that the program reads /etc/passwd and closes it again, then reopens it (to try the username in lowercase) and reads again, followed by a SIGSEGV. The bug is in (one of) the patches and diffs that are applied to support shadowing in Linux. The problem is in log_lnx.c.diff.gz: - if (!(pw && pw->pw_uid)) return NIL; +/* if (!(pw && pw->pw_uid)) return NIL; */ I have no idea why this check is removed (the programs continue to keep working with this check enabled), but it breaks the whole thing. A couple more patches are applied, after which 'build lnx' is executed. Apparently Patrick Volkerding (maintainer of SlackWare, real cool guy I think) didn't realize that 'build slx' does about the same, only safe... Note that the dumped core is mode 600, _unless_ /core already exists, in which case it's permissions are retained. Greetz, Peter. P.S. Does anybody know where a process like ipop3d leaves it's coredumps _after_ the user has logged in, so that it's running under the users' id? ---------------------------------------------------------------------------- On Mon, 2 Feb 1998, Peter van Dijk wrote: > [attic bug report nr. 1] > > While fooling around a little with NIS/YP (didn't get it completely > working...) I ran into a bug in the imapd and ipop3d that come with > slackware 3.4 (if you install the pine package). > Earlier slackware versions will problably NOT suffer from this bug, > because they did not include shadowing. > > When fed an unknown username, imapd and ipop3d will dump core: > > [root@koek] /# telnet zopie 110 > Trying 10.10.13.1... > Connected to zopie.attic.vuurwerk.nl. > Escape character is '^]'. > +OK zopie.attic.vuurwerk.nl POP3 3.3(20) w/IMAP2 client (Comments to MRC@CAC.Washington.EDU) at Sun, 1 Feb 1998 23:45:06 +0100 (CET) > user root > +OK User name accepted, password please > pass linux > [this is not the correct password] > -ERR Bad login > user john > [i have no user named john] > +OK User name accepted, password please > pass doe > Connection closed by foreign host. > This does not affect slackware 3.3 (which HAS shadow !!!!!). May be a bug in that version of ipop3d :( root@licj:~# tn licj 110 Trying 193.226.84.250... Connected to licj.soroscj.ro. Escape character is '^]'. +OK licj POP3 Server (Version 1.005h) ready at user root +OK please send PASS command pass kaka -ERR invalid usercode or password, please try again user kkt +OK please send PASS command pass lksdghsql -ERR invalid usercode or password, please try again user raf +OK please send PASS command pass a;sdkljfh -ERR invalid usercode or password, please try again ........ and so on..... Radu-Adrian Feurdean ---------------------------------------------------------------------------- On Mon, 2 Feb 1998, Peter van Dijk wrote: > [attic bug report nr. 1] > > While fooling around a little with NIS/YP (didn't get it completely > working...) I ran into a bug in the imapd and ipop3d that come with > slackware 3.4 (if you install the pine package). > Earlier slackware versions will problably NOT suffer from this bug, > because they did not include shadowing. > > When fed an unknown username, imapd and ipop3d will dump core: [exploit snipped] Slackware 3.3 includes does include shadowing. Apparently, the stock ipop3d is not vunerable, but imapd is. thumper:/$ telnet thumper 110 Trying 127.0.0.1... Connected to thumper.woods.com. Escape character is '^]'. +OK thumper POP3 Server (Version 1.005h) ready at user root +OK please send PASS command pass linux -ERR invalid usercode or password, please try again user john +OK please send PASS command pass doe -ERR invalid usercode or password, please try again quit +OK arthur POP3 Server (Version 1.005h) shutdown. Connection closed by foreign host. thumper:/$ ls -l core /bin/ls: core: No such file or directory thumper:/$ thumper:/$ telnet thumper imap2 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK thumper.woods.com IMAP2bis Service 7.8(100) at Sun, 1 Feb 1998 23:15:45 -0800 (PST) A001 LOGIN root linux A001 NO Bad LOGIN user name and/or password A002 LOGIN john doe Connection closed by foreign host. thumper:/$ ls -l core -rw------- 1 root root 282624 Feb 1 23:16 core thumper:/$ -- David Griffith dgriffi@ultrix6.cs.csubak.edu ---------------------------------------------------------------------------- The patch corrects the coredump error in both imapd and ipop3d (the pine version of pop3 server). Patch is against pine 3.96: root@feu:~/src/pine3.96/imap/ANSI/c-client# diff -ru log_lnx.c.orig log_lnx.c --- log_lnx.c.orig Tue May 2 00:08:20 1995 +++ log_lnx.c Thu Feb 5 08:49:31 1998 @@ -55,7 +55,8 @@ /* allow case-independent match */ if (!pw) pw = getpwnam (lcase (strcpy (tmp,user))); /* no entry for this user or root */ - if (!(pw && pw->pw_uid)) return NIL; + if (!(pw)) return NIL; + if (!(pw->pw_uid)) return NIL; if(!(spw = getspnam (pw->pw_name))) return NIL; /* validate password */ if (strcmp (spw->sp_pwdp,(char *) pw_encrypt(pass,spw->sp_pwdp))) return NIL; root@feu:~/src/pine3.96/imap/ANSI/c-client# ... why do we need "optimisations" when authentificating users ???? :) and btw: in original version root was still able to log in... --- Radu-Adrian Feurdean ---------------------------------------------------------------------------- On Thu, Feb 05, 1998 at 09:45:38AM +0200, raf@licj..... (Bugtraq Mirror) said: > - if (!(pw && pw->pw_uid)) return NIL; > + if (!(pw)) return NIL; > + if (!(pw->pw_uid)) return NIL; > ... why do we need "optimisations" when authentificating users ???? :) > and btw: in original version root was still able to log in... You are very incorrect here. Both your version and the original version do the exact same thing: If pw = valid_addr && pw->pw_uid = 0 then it would return NIL; which would deny root. However, the _readable_ way to write this would be: if( !pw || !pw->pw_uid ) return NIL; This stops if pw is not valid or if pw->pw_uid is 0. This is exactly the same as the frist statement since: !(A && B) == !A || !B ...only much more readable. -- Michael Douglass Texas Networking, Inc. anyway, I'm off, perl code is making me [a] crosseyed toady ----------------------------------------------------------------------------