From nobody@FreeBSD.org  Fri Oct  4 14:21:58 2002
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D570337B401
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  4 Oct 2002 14:21:58 -0700 (PDT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2E08D43E75
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  4 Oct 2002 14:21:58 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.6/8.12.6) with ESMTP id g94LLv7R069893
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 4 Oct 2002 14:21:57 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.6/8.12.6/Submit) id g94LLvQI069892;
	Fri, 4 Oct 2002 14:21:57 -0700 (PDT)
Message-Id: <200210042121.g94LLvQI069892@www.freebsd.org>
Date: Fri, 4 Oct 2002 14:21:57 -0700 (PDT)
From: Jeffrey Eugene Crawford <crawford.jeffrey.eugene@bigfoot.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Able to bypass expired password
X-Send-Pr-Version: www-1.0

>Number:         43674
>Category:       bin
>Synopsis:       [patch] login(1): able to bypass expired password
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Oct 04 14:30:02 PDT 2002
>Closed-Date:    Tue Jun 12 04:48:18 GMT 2007
>Last-Modified:  Tue Jun 12 04:48:18 GMT 2007
>Originator:     Jeffrey Eugene Crawford
>Release:        CVSup RELENG_4_6
>Organization:
INSIGMA IT Engineering
>Environment:
FreeBSD lissi.crawford.int 4.6.2-RELEASE-p2 FreeBSD 4.6.2-RELEASE-p2 #0: Mon Sep 30 19:44:54 CEST 2002     toor@lissi.crawford.int:/usr/obj/usr/src/sys/LISSI  i386

>Description:
Playing around with passwords I found that I can set the password to expire in chpass, then when I try to log into that account I'm asked to change the password. One of the requirements is that I provide a password that is at least 6 characters long, if I however simply exit with ^C I'm able to access the account without changing the password
>How-To-Repeat:
Set password for an account to expire (I used chpass) login to account with current credintals, you are prompted to change the password. Try to change password to one that is less than 6 chars. long, you recieve an error message simply press ^C and you are in the account with an expired password
>Fix:
      
>Release-Note:
>Audit-Trail:

From: "Dorr H. Clark" <dclark@applmath.scu.edu>
To: freebsd-gnats-submit@FreeBSD.org,
	crawford.jeffrey.eugene@bigfoot.com
Cc:  
Subject: fix proposed Re: misc/43674: Able to bypass expired password
Date: Thu, 01 May 2003 17:57:12 -0700

 The problem in 43674 occurs because the implementation 
 presumes the cooperation of the user, which is normally 
 a sub-optimal strategy for system security.  
 If the user chooses not to cooperate, login is not aware.  
 
 Our proposed fix checks whether the user has actually made 
 the requested password change before proceeding.  
 If they attempt the ^C exploit listed in 43674, 
 they are prompted again.
 
 NOTE:  This patch is compatible with 4.7-STABLE !
 
 --- /usr/src/usr.bin/login/login.c      Wed Mar 13 10:45:33 2002
 +++ login.c     Mon Apr 28 20:45:24 2003
 @@ -704,12 +704,15 @@
         (void)signal(SIGQUIT, SIG_DFL);
         (void)signal(SIGINT, SIG_DFL);
         (void)signal(SIGTSTP, SIG_IGN);
 -
 -       if (changepass) {
 +       while (changepass) {
                 if (system(_PATH_CHPASS) != 0)
                         sleepexit(1);
 +               pwd = getpwnam(username);
 +               if(!pwd->pw_change)
 +                       changepass = 0;
 +               else
 +                       printf("\nSorry!Your password is expired.You
 have to
 enter a new password.\n\n");
         }
 -
         /*
          * Login shells have a leading '-' in front of argv[0]
          */
 
 Kuang-Wu "Kerwin" Hsu, engineer
 Dorr H. Clark, advisor
 COEN 284 - Operating Systems Case Study 
 Santa Clara University, 
 Santa Clara CA.

From: "Dorr H. Clark" <dclark@applmath.scu.edu>
To: freebsd-gnats-submit@FreeBSD.org,
	crawford.jeffrey.eugene@bigfoot.com
Cc:  
Subject: fix proposed Re: misc/43674: Able to bypass expired password
Date: Thu, 01 May 2003 17:57:12 -0700

 The problem in 43674 occurs because the implementation 
 presumes the cooperation of the user, which is normally 
 a sub-optimal strategy for system security.  
 If the user chooses not to cooperate, login is not aware.  
 
 Our proposed fix checks whether the user has actually made 
 the requested password change before proceeding.  
 If they attempt the ^C exploit listed in 43674, 
 they are prompted again.
 
 NOTE:  This patch is compatible with 4.7-STABLE !
 
 --- /usr/src/usr.bin/login/login.c      Wed Mar 13 10:45:33 2002
 +++ login.c     Mon Apr 28 20:45:24 2003
 @@ -704,12 +704,15 @@
         (void)signal(SIGQUIT, SIG_DFL);
         (void)signal(SIGINT, SIG_DFL);
         (void)signal(SIGTSTP, SIG_IGN);
 -
 -       if (changepass) {
 +       while (changepass) {
                 if (system(_PATH_CHPASS) != 0)
                         sleepexit(1);
 +               pwd = getpwnam(username);
 +               if(!pwd->pw_change)
 +                       changepass = 0;
 +               else
 +                       printf("\nSorry!Your password is expired.You
 have to
 enter a new password.\n\n");
         }
 -
         /*
          * Login shells have a leading '-' in front of argv[0]
          */
 
 Kuang-Wu "Kerwin" Hsu, engineer
 Dorr H. Clark, advisor
 COEN 284 - Operating Systems Case Study 
 Santa Clara University, 
 Santa Clara CA.
State-Changed-From-To: open->feedback 
State-Changed-By: wes 
State-Changed-When: Wed Sep 27 03:07:09 UTC 2006 
State-Changed-Why:  
Does not apply to FreeBSD [5-7].* 

http://www.freebsd.org/cgi/query-pr.cgi?pr=43674 
State-Changed-From-To: feedback->closed 
State-Changed-By: linimon 
State-Changed-When: Tue Jun 12 04:46:29 UTC 2007 
State-Changed-Why:  
This applies only to FreeBSD_4, which is now out of support.   Therefore, 
I'll go ahead and close this one. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=43674 
>Unformatted:
