[pptp-server] SMBpasswd security breach patch
Ian Harris
iharris at quadtel.com
Wed Mar 7 17:07:36 CST 2001
Problem : Blank password allows people to access pptp connection
See auth.c, line 1859 and following.
Note the by default 'word' is memcpy'd a blank string (actually \0 plus
whatever ever else is hanging around after the \0 due to the '2', but that's
beside the point). And so, if the username is not discovered in the
smbpasswd file, the password is compared with the blank 'word', which of
course, results in access being granted.
Quick fix is to whack something else in word that isn't likely to match, see
below.
Someone with more time could write this a little better, but this fixes the
hole.
regards
Ian.
#ifdef JES
else if (word[0] == '&') {
struct smb_passwd *smb;
char smbname[MAXWORDLEN];
strlcpy(atfile, word+1, sizeof(atfile));
setsmbfilepath(atfile);
// memcpy(word, "", 2);
strcpy(word, "crapcrap");
setsmbpwent();
while ( (smb = getsmbpwent()) !=NULL){
sethexpwd(smbname, smb->smb_nt_passwd);
smbname[NTPASS]='\000';
/*notice ("name: %s, client: %s", smb->smb_name, client);*/
if((client != NULL && strcmp(client, smb->smb_name) == 0) ||
(server != NULL && strcmp(server, smb->smb_name) == 0)
) {
memcpy(word, smbname, NTPASS);
word[NTPASS]='\000';
}
}
endsmbpwent();
}
#endif
More information about the pptp-server
mailing list