Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 2 Jan 2012 04:13:23 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Christos Zoulas <christos@...las.com>
Subject: Re: *BSD's DES-based crypt(3) treats all invalid salt chars as '.'

Christos Zoulas fixed the out of bounds read below in NetBSD (for NetBSD 6).

On Tue, Nov 15, 2011 at 08:16:14AM +0400, Solar Designer wrote:
> Speaking of NetBSD, it also appears to have out of bounds array reads on
> salt characters with the 8th bit set:
> 
> static unsigned char a64toi[128];	/* ascii-64 => 0..63 */
> [...]
> 		/* get iteration count */
> 		num_iter = 0;
> 		for (i = 4; --i >= 0; ) {
> 			if ((t = (unsigned char)setting[i]) == '\0')
> 				t = '.';
> 			encp[i] = t;
> 			num_iter = (num_iter<<6) | a64toi[t];
> 		}
> [...]
> 	salt = 0;
> 	for (i = salt_size; --i >= 0; ) {
> 		if ((t = (unsigned char)setting[i]) == '\0')
> 			t = '.';
> 		encp[i] = t;
> 		salt = (salt<<6) | a64toi[t];
> 	}
> 
> This has no security impact that I can see, though.  Perhaps with PHP
> safe_mode and the like it could be used to read data beyond array
> bounds, but unless the order of variables in .bss is heavily changed by
> the compiler or linker there's nothing interesting to read in the 128
> bytes following a64toi[], and it would not result in a crash either.
> 
> Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ