From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 13:41:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 23A7E16A4B3 for ; Wed, 17 Sep 2003 13:41:39 -0700 (PDT) Received: from adicia.telenet-ops.be (adicia.telenet-ops.be [195.130.132.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id E0BAB43FE0 for ; Wed, 17 Sep 2003 13:41:37 -0700 (PDT) (envelope-from admin@inet-solutions.be) Received: from localhost (localhost.localdomain [127.0.0.1]) by adicia.telenet-ops.be (Postfix) with SMTP id 8380637E73 for ; Wed, 17 Sep 2003 22:41:36 +0200 (MEST) Received: from sinix (D57652D1.kabel.telenet.be [213.118.82.209]) by adicia.telenet-ops.be (Postfix) with ESMTP id F374937FE7 for ; Wed, 17 Sep 2003 22:41:35 +0200 (MEST) From: "Sick`" To: Date: Wed, 17 Sep 2003 22:41:35 +0200 Message-ID: <006901c37d5c$16646f90$0200a8c0@sinix> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Subject: FW: opiekey segfault ... isn't that harmfull? it's setuid root X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 20:41:39 -0000 Hi, I dunno much about exploiting, but I was wondering about the setuid root program 'opiepasswd' to use one-time-passwords. When having a seed of (null) and a sequence of -1, I get a segfault. Kernel/base: FreeBSD lama.inet-solutions.be 4.8-RELEASE-p4 FreeBSD 4.8-RELEASE-p4 #0: Sun Aug 31 21:00:38 CEST 2003 root@lama.inet-solutions.be:/usr/obj/usr/src/sys/LAMA i386 Make.conf: CPUTYPE=i686 CFLAGS= -O -pipe CXXFLAGS+= -fmemoize-lookups -fsave-memoized COPTFLAGS= -O -pipe ENABLE_SUIDPERL= true PERL_VER=5.6.1 PERL_VERSION=5.6.1 PERL_ARCH=mach NOPERL=yo NO_PERL=yo NO_PERL_WRAPPER=yo This is my terminal output: jimmy@lama (192.168.0.50) 13:47 ~ $ opiepasswd -c -n 1 -s ad2003 Adding jimmy: Only use this method from the console; NEVER from remote. If you are using telnet, xterm, or a dial-in, type ^C now or exit with no password. Then run opiepasswd without the -c parameter. Using MD5 to compute responses. Enter new secret pass phrase: TESTtestTEST Again new secret pass phrase: TESTtestTEST ID jimmy OTP key is 1 ad2003 HUT SWAY DANE TOLL DAM JUDO jimmy@lama (192.168.0.50) 13:47 ~ $ opiekey -n 2 1 ad2003 Using the MD5 algorithm to compute response. Reminder: Don't use opiekey from telnet or dial-in sessions. Enter secret pass phrase: TESTtestTEST 0: FLEW SLAY STAN BUNK RAT BACH 1: HUT SWAY DANE TOLL DAM JUDO jimmy@lama (192.168.0.50) 13:48 ~ $ ssh 192.168.0.50 otp-md5 0 ad2003 ext Password: FLEW SLAY STAN BUNK RAT BACH jimmy@lama (192.168.0.50) 13:49 ~ $ exit Connection to 192.168.0.50 closed. jimmy@lama (192.168.0.50) 13:51 ~ $ opieinfo -1 (null) jimmy@lama (192.168.0.50) 13:51 ~ $ opiepasswd Updating jimmy: Segmentation fault jimmy@lama (192.168.0.50) 13:51 ~ $ Jimmy Scott