[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : CrackLib

Title: CrackLib
Released by:
Date: 17th December 1997
Printable version: Click here 
******************************************************************************



Topic:  CrackLib

Source: Alec Muffett 



- - --------------------------------



Problem: Vulnerability in CrackLib v2.5



I. Description



     CrackLib is a freely-available software library that provides

     systems and application programmers with some control to dissuade

     users from utilising easily-guessable passwords as authentication

     tokens.



     A weakness in a published version of CrackLib (v2.5, dated 1993)

     may be open to exploitation on Unix systems utilising CrackLib in

     setuid-root software, leading to compromise of system privileges.



II. Impact



     A bug in CrackLib v2.5 *may* be exploitable to obtain root

     privileges when logged on machines where CrackLib is installed as

     part of a SUID program, such as "/bin/passwd".



     This problem will also impact systems where CrackLib is part of

     the PAM (pluggable authentication module) installation; where you

     are using a commercial operating system that utilises CrackLib

     (typically this applies to some Linux and FreeBSD distributions)

     you are advised to contact your vendor for a patch.



III. Solution



      A upgraded/fixed version of CrackLib - v2.6 - is available from

      the following website, together with patches for the v2.5 software:



                http://www.users.dircon.co.uk/~crypto/



          MD5-signatures                    filenames

          --------------                    ---------

          7181205d70afcf75bb2240678b6be855  cracklib26_small.tgz

          247ad535f3e84bf586f7c31197ad1774  cracklib26_small.tgz.asc

          3933d0b56695f38535a5be3b57ccb60f  cracklib26_small.diff

          ec0e3714bc95ab2f2352a4438de17e7c  cracklib26_small.diff.asc



     ...and contact information is also available from that website.



******************************************************************************



- -----BEGIN PGP SIGNATURE-----

Version: 2.6ui



iQCVAwUBNJcC8SkVdfDiK/dBAQH/cgP/XOrNN87QJ7/OzORHsa4wumVaiJ900fiM

htLGtlQB3zJZJHxN9p3zPZteU45RQcW3CIYCKJpwIfc1jclgQb94nZyKXI+T86Yc

Yg/jmK30dIqYDf5mRgKr8dh2IGICU+GEq8OE1MfqAa4r09MJ7VmhmNTZxp/09a8c

QNxsRXFm4qE=

=/6eR

- -----END PGP SIGNATURE-----






(C) 1999-2000 All rights reserved.