AusCERT - ESB-2001.001 -- OpenBSD Security Advisory -- xlock(1) Authentication

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ESB-2001.001 -- OpenBSD Security Advisory -- xlock(1) Authentication
Date: 04 January 2001

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
              AUSCERT External Security Bulletin Redistribution
                             
                  ESB-2001.001 -- OpenBSD Security Advisory
                           xlock(1) Authentication
                               4 January 2001

===========================================================================

	AusCERT Security Bulletin Summary
	---------------------------------

Product:                xlock
Vendor:                 OpenBSD
Operating System:       OpenBSD
Impact:                 Reduced Security
Access Required:        Local

- --------------------------BEGIN INCLUDED TEXT--------------------

- ----------------------------------------------------------------------------

			OpenBSD Security Advisory

			    December 22, 2000

			 xlock(1) Authentication

- ----------------------------------------------------------------------------

SYNOPSIS

This is a precautionary advisory. xlock(1)'s authentication scheme was changed
to authenticate via a pipe in an early forked process. While there is no known
vulnerability in the current authentication scheme used by xlock(1), it is
believed that new scheme provides much added security and a patch should be 
applied.

- ----------------------------------------------------------------------------

RESOLUTION

OpenBSD's base system does not include xlock(1). If you installed OpenBSD's
X11 packages you should apply the fix below to your OpenBSD 2.8 X11 source
tree. The patch is also available at http://www.openbsd.org/errata.html (014).
Alternativly, you can download new xlock(1) binaries provided from the same
link: http://www.openbsd.org/errata.html (014).

- ----------------------------------------------------------------------------

REFERENCES

Security and errata,

	http://www.openbsd.org/security.html
	http://www.openbsd.org/errata.html

- ----------------------------------------------------------------------------

OPENBSD 2.8 PATCH
 
Apply by doing:
	cd /usr/X11
	patch -p0<014_xlock.patch

Then rebuild the xlock binary:
	cd xc/programs/xlockmore
	xmkmf; make Makefiles; make; make install

- --- xc/programs/xlockmore/iconfig.h	2000/10/07 17:36:06	1.12
+++ xc/programs/xlockmore/iconfig.h	2000/12/19 20:21:41	1.13
@@ -313,6 +313,10 @@
 
 XCOMM      *** END DEBUG CHECK SECTION ***
 
+XCOMM      *** DEFINE THIS TO USE A SEPARATE PROCESS (SAFER) ***
+XCOMM      *** TO VALIDATE PASSWORDS                         ***
+PIPEDEF = -DUSE_A_DAMN_PIPE
+
 #ifndef __QNX__
 #ifndef MathLibrary
 #define MathLibrary -lm
@@ -522,7 +526,7 @@
 XCOMM  OPTDEF += -DSTAFF_NETGROUP="/etc/xlock.netgroup"
 
 DEFINES = -DDEF_FILESEARCHPATH="$(LIBDIR)/%T/%N%S" 
- -$(SYSTEMDEF) $(EDITRESDEF) $(SLEEPDEF) $(OPTDEF) $(RANDDEF) 
+$(PIPEDEF) $(SYSTEMDEF) $(EDITRESDEF) $(SLEEPDEF) $(OPTDEF) $(RANDDEF) 
 $(MODULEDEF) $(CHECKDEF) $(UNSTABLEDEF) $(PASSWDDEF) $(XMINC) $(XAWINC) 
 $(CPPDEF) $(XPMDEF) $(GLDEF) $(DTSAVERDEF) $(DPMSDEF) 
 $(SOUNDDEF) $(PASSWDINC) $(XPMINC) $(GLINC) $(DTSAVERINC) $(DPMSINC) 
- --- xc/programs/xlockmore/modes/Imakefile	2000/04/15 09:45:59	1.6
+++ xc/programs/xlockmore/modes/Imakefile	2000/12/19 19:20:23	1.7
@@ -80,7 +80,7 @@
 $(DOU)util$(OU)logout$(OU)mode$(OU)ras$(OU)xbm$(O)$(S)
 $(DOU)vis$(OU)color$(OU)random$(OU)iostuff$(OU)automata$(O)$(S)
 $(DOU)spline$(OU)erase$(OU)sound$(O)$(S)
- -$(DOU)vtlock$(OU)vtlock_proc$(O)
+$(DOU)vtlock$(OU)vtlock_proc$(OU)atomicio$(O)
 #ifdef Check
 XLOCKCHECKOBJS = $(S)memcheck$(O)
 #endif
@@ -162,7 +162,7 @@
 XLOCKUTILSRCS = $(DU)xlock$(CU)passwd$(CU)resource$(CU)parsecmd$(C) 
 $(DU)vis$(CU)color$(CU)random$(CU)iostuff$(CU)automata$(C) 
 $(DU)spline$(CU)sound$(CU)erase$(C) 
- -$(DU)vtlock$(CU)vtlock_proc$(C)
+$(DU)vtlock$(CU)vtlock_proc$(CU)atomicio$(C)
 XLOCKCHECKSRCS = $(DU)memcheck$(C)
 XLOCKMODESRCS = $(DM)ant$(CM)ball$(CM)bat$(CM)blot$(C) 
 $(DM)bouboule$(CM)bounce$(CM)braid$(CM)bubble$(CM)bug$(C) 
- --- xc/programs/xlockmore/xlock/Imakefile	1999/12/05 16:37:06	1.5
+++ xc/programs/xlockmore/xlock/Imakefile	2000/12/19 19:20:24	1.6
@@ -19,7 +19,7 @@
 $(DOU)util$(OU)logout$(OU)mode$(OU)ras$(OU)xbm$(O)$(S)
 $(DOU)vis$(OU)color$(OU)random$(OU)iostuff$(OU)automata$(O)$(S)
 $(DOU)spline$(OU)sound$(OU)erase$(O)$(S)
- -$(DOU)vtlock$(OU)vtlock_proc$(O)
+$(DOU)vtlock$(OU)vtlock_proc$(OU)atomicio$(O)
 #ifdef Check
 XLOCKCHECKOBJS = $(S)memcheck$(O)
 #endif
@@ -30,7 +30,7 @@
 $(DU)util$(CU)logout$(CU)mode$(CU)ras$(CU)xbm$(C) 
 $(DU)vis$(CU)color$(CU)random$(CU)iostuff$(CU)automata$(C) 
 $(DU)spline$(CU)sound$(CU)erase$(C) 
- -$(DU)vtlock$(CU)vtlock_proc$(C)
+$(DU)vtlock$(CU)vtlock_proc$(CU)atomicio$(C)
 XLOCKCHECKSRCS = $(DU)memcheck$(C)
 
 XCOMM default target
- --- xc/programs/xlockmore/xlock/passwd.c	2000/04/15 09:46:00	1.9
+++ xc/programs/xlockmore/xlock/passwd.c	2000/12/19 19:20:24	1.10
@@ -64,7 +64,14 @@
 #include <sys/param.h>
 #endif
 
+#ifdef USE_A_DAMN_PIPE
+#include <limits.h>
 
+int passwd_rpipe = -1;
+int passwd_wpipe = -1;
+pid_t passwd_pid;
+#endif
+
 #if defined( __bsdi__ ) && _BSDI_VERSION >= 199608
 #define       BSD_AUTH
 #endif
@@ -1193,6 +1200,9 @@
 			}
 	}
 #endif
+#ifdef USE_A_DAMN_PIPE
+	done = passwd_do_check(buffer);
+#else
 	if (!done) {
 		done = (!strcmp((char *) crypt(buffer, userpass), userpass));
 		/* userpass is used */
@@ -1220,6 +1230,7 @@
 			syslog(SYSLOG_NOTICE, "%s: %s unlocked screen", ProgramName, ROOT);
 #endif
 	}
+#endif /* !USE_A_DAMN_PIPE */
 #endif /* !BSD_AUTH */
 #endif /* !ultrix */
 #endif /* !PAM */
@@ -1925,9 +1936,50 @@
 		else
 			gpass();
 #else
+#ifdef USE_A_DAMN_PIPE
+		{
+			int pipes1[2];
+			int pipes2[2];
+
+			if (pipe(pipes1) == -1)
+				return;
+			if (pipe(pipes2) == -1) {
+				close(pipes1[0]);
+				close(pipes1[1]);
+				return;
+			}
+			passwd_pid = fork();
+			switch (passwd_pid) {
+			case -1:
+				close(pipes1[0]);
+				close(pipes1[1]);
+				close(pipes2[0]);
+				close(pipes2[1]);
+				return;
+			default:
+				/* parent */
+				close(pipes1[0]);
+				passwd_wpipe = pipes1[1];
+				close(pipes2[1]);
+				passwd_rpipe = pipes2[0];
+				return;
+
+			case 0:
+				/* child */
+				close(pipes1[1]);
+				passwd_rpipe = pipes1[0];
+				close(pipes2[0]);
+				passwd_wpipe = pipes2[1];
+
+				passwd_run_checks();
+				_exit(1);
+			}
+		}
+#else
 		getCryptedUserPasswd();
 #endif
 #endif
+#endif
 		if (allowroot)
 			getCryptedRootPasswd();
 #endif /* !BSD_AUTH */
@@ -1937,3 +1989,53 @@
 	initDCE();
 #endif
 }
+
+#ifdef USE_A_DAMN_PIPE
+
+int
+passwd_do_check(user)
+	char *user;
+{
+	char buf[PIPE_BUF];
+
+	strlcpy(buf, user, sizeof buf);
+	if (atomicio(write, passwd_wpipe, buf, sizeof buf) != sizeof buf)
+		return 0;	/* what to do? */
+	buf[0] = '';
+	read(passwd_rpipe, buf, 1);
+	if (buf[0])
+		return 1;
+	else
+		return 0;
+}
+
+passwd_run_checks()
+{
+	char buf[PIPE_BUF];
+	struct passwd *pw = NULL;
+	int off, len;
+	u_char ack;
+
+	while (1) {
+		memset(buf, 0, sizeof buf);
+		ack = 0;
+
+		if (atomicio(read, passwd_rpipe, buf, sizeof buf) != sizeof buf)
+			_exit(1);
+
+		buf[sizeof(buf)-1] = '';
+
+		pw = getpwnam(user);
+		if (pw && strcmp(crypt(buf, pw->pw_passwd), pw->pw_passwd) == 0)
+			ack = 1;
+		if (ack == 0) {
+			pw = getpwnam("root");
+			if (pw && strcmp(crypt(buf, pw->pw_passwd),
+			    pw->pw_passwd) == 0)
+				ack = 1;
+		}
+		endpwent();
+		(void) write(passwd_wpipe, &ack, 1);
+	}
+}
+#endif
- --- xc/programs/xlockmore/xlock/resource.c	2000/05/16 03:33:11	1.2
+++ xc/programs/xlockmore/xlock/resource.c	2000/12/19 19:20:24	1.3
@@ -155,8 +155,8 @@
 #ifdef USE_MB
 #define DEF_FONTSET	DEF_FONT ## ",-*-24-*"
 #endif
- -#define DEF_BG		"White"
- -#define DEF_FG		"Black"
+#define DEF_BG		"Black"
+#define DEF_FG		"White"
 #ifdef FR
 #define DEF_NAME	"Nom: "
 #define DEF_PASS	"Mot de passe: "
- --- /dev/null	Fri Dec 22 01:30:03 2000
+++ xc/programs/xlockmore/xlock/atomicio.c	Tue Dec 19 13:20:24 2000
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 1999 Theo de Raadt
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/types.h>
+#include <errno.h>
+
+/*
+ * ensure all of data on socket comes through. f==read || f==write
+ */
+ssize_t
+atomicio(f, fd, _s, n)
+	ssize_t (*f) ();
+	int fd;
+	void *_s;
+	size_t n;
+{
+	char *s = _s;
+	ssize_t res, pos = 0;
+
+	while (n > pos) {
+		res = (f) (fd, s + pos, n - pos);
+		switch (res) {
+		case -1:
+			if (errno == EINTR || errno == EAGAIN)
+				continue;
+		case 0:
+			return (res);
+		default:
+			pos += res;
+		}
+	}
+	return (pos);
+}


- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOm/yvih9+71yA2DNAQFbcwP/aPB1ZeKvEyKuR0IxkPx7JTteJq6TIeiE
Hl6iVC3eX2itVx4tqvzEUBkCXDooEYqmF8GTZ7fSzmxwmqRUPwGmDaGlJmCvrx0e
BIydv4gO2Yx1NkoDnvtAO+WtXBq0mPnvc+OTDS4lNjaZOsHr1CWgJoph87LWOwJv
bxKwLCEzyAs=
=pb7f
-----END PGP SIGNATURE-----