This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug crypt/25441] New: DOS attack risk caused by incomplete system password check function
- From: "weinull at outlook dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Wed, 22 Jan 2020 12:55:00 +0000
- Subject: [Bug crypt/25441] New: DOS attack risk caused by incomplete system password check function
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=25441
Bug ID: 25441
Summary: DOS attack risk caused by incomplete system password
check function
Product: glibc
Version: unspecified
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: crypt
Assignee: unassigned at sourceware dot org
Reporter: weinull at outlook dot com
Target Milestone: ---
Created attachment 12225
--> https://sourceware.org/bugzilla/attachment.cgi?id=12225&action=edit
demo
Hi Security Team:
I found a security problem in the underlying crypt function of the system. The
crypt function can be used for password checking, because the crypt function
does not limit the length of the password. When checking a very long password,
this function will always be in calculation and cannot return normally. And,
the CPU usage rate reaches 100%. Failure to return normally will cause the
program using this function to be abnormal and achieve the effect of a DOS
attack.
The crypt function in the official documentation states that the function of
the function is used for password checking. Developers believe that this
function is very secure, so they will use this function for password checking
(usually used for system password checking, and some applications also Will use
this function to check their own password), when developers do not limit the
length of the password will trigger a DOS attack, usually the password check is
in the login function, the login function can usually be remotely operated, all
can Implement remote DOS attacks without authentication.
I have found this problem with multiple products, for example:
1. Linux PAM (Verification only)
2. VMware related products (DoS attacks have been implemented, reported to
vendors)
3. FreeNAS related products(DoS attacks have been implemented, reported to
vendors)
4. The crypt module in the Python standard library (Verification only, reported
to vendors)
5. Management port of a brand server(DoS attacks have been implemented,
reported to vendors)
Many products will use this function for password checking, and fully trust the
security of this function (the related products listed can be used as proof).
If no other protection measures are taken, it is easy to implement DOS attacks
(including possible switches, routers, etc. (Such as key network equipment),
the password length should be limited, normal passwords will not be very long,
it should be a system-level function, it should be controlled from the system
level, and it can not be limited only by the product developer.
Because it is a problem with the underlying functions of the system, all Linux
distributions will be affected.
/glibc/crypt/crypt-entry.c
I wrote some demos, I put it in the attachment, you can test.
If you have any questions, please send me an email and look forward to your
reply, thank you.
--
You are receiving this mail because:
You are on the CC list for the bug.