Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 14 Dec 2012 18:16:04 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Simon ." <bofh666ftw@...glemail.com>
Subject: Re: pacemaker strcmp

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/13/2012 09:37 AM, Simon . wrote:
> Hi,
> 
> I might have overlooked something. Starting from Line 39, if
> pacemaker is compiled with ACL support:
> 
> https://github.com/ClusterLabs/pacemaker/blob/master/include/crm_internal.h#L39
>
>  Once a user root\0bar is created, and CRM_DAEMON_USER is #undef we
> can return TRUE. Haven't looked into further details here and I
> think no sane admin will ever allow such a user. What do you guys
> think?
> 
> 
> 
> /* For ACLs */ char *uid2username(uid_t uid); void
> determine_request_user(char *user, xmlNode * request, const char
> *field);
> 
> # if ENABLE_ACL # include <string.h> static inline gboolean 
> is_privileged(const char *user) { if (user == NULL) { return
> FALSE; } else if (strcmp(user, CRM_DAEMON_USER) == 0) {
> <------------- #undef ? return TRUE; } else if (strcmp(user,
> "root") == 0) { <------------------- err return TRUE; } return
> FALSE; } # endif
> 

Can attackers create their own user names or do admins have to create
the accounts (I know nothing about this software)? Also can you
confirm that "root\0bar actually allows ACL bypass with the
application in production? Thanks.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQy89UAAoJEBYNRVNeJnmT+ZgP/RKlc9LyyfMlIPbeuJqOJSuB
CWWvUuYJWQfhIfniOLyxfDQtU+Bp+LkNyM4Mk5cfxDgLu4bCN4cClWBGTnbvcuDp
VRH0NOfOhNRf7TlZ5UAMzop5EMU1+3mb1XNA15EaxmShikKew98CabiArolSWpge
Y/2eZ5KoxdgHCFRwzWm2NjYGh4KFzgjQY5YkNfYCRuEhMDLAo9zq9gGlREYyHQ2c
SGxEg8jGhnsPF6voAqvZ6wXXMg3s2XmRmEFwC7erTvaPXQ5XNoW3amkEVrDBgeeo
DrMCCiYtiV2exUSxg55+MxlFQyzsp2u8bBxnHCK2bN7r/ZRt/IrLiva8EGn6ANwa
ge1wX3t+MwXZ0iZCjMNtqtK6XpRGfDlAb4nv403fS9waUI+6f/b8YzqooDGdc+SN
on/wX1NJ2HT30Q5d68cSGSK82N1/kl+QolyX9Q5jyAqxCHLyT8psLt9BXsFjH1K9
0eCIFOgoHNEQeh92MgHzQ1ynkPTRQSqIvXvpOyjZ1sdf+gT93jrRxqydV7/nBK7P
Hyt6MdJggBDTai259onIfbjTYavTsio1X1efrvAjxDrfa2HULvXW9QwrWPyUKzg4
JMC0RYzhoUeWg/yhnrUdPjwXuQwp04tzxeNjHWC25Cxs3OHVnBZL4Cbh3/74qt0Q
zvcBlk+wHZFb2njR4hhG
=7JbE
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.