[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : CrackLib

Title: CrackLib
Released by:
Date: 17th December 1997
Printable version: Click here

Topic:  CrackLib

Source: Alec Muffett 

- - --------------------------------

Problem: Vulnerability in CrackLib v2.5

I. Description

     CrackLib is a freely-available software library that provides

     systems and application programmers with some control to dissuade

     users from utilising easily-guessable passwords as authentication


     A weakness in a published version of CrackLib (v2.5, dated 1993)

     may be open to exploitation on Unix systems utilising CrackLib in

     setuid-root software, leading to compromise of system privileges.

II. Impact

     A bug in CrackLib v2.5 *may* be exploitable to obtain root

     privileges when logged on machines where CrackLib is installed as

     part of a SUID program, such as "/bin/passwd".

     This problem will also impact systems where CrackLib is part of

     the PAM (pluggable authentication module) installation; where you

     are using a commercial operating system that utilises CrackLib

     (typically this applies to some Linux and FreeBSD distributions)

     you are advised to contact your vendor for a patch.

III. Solution

      A upgraded/fixed version of CrackLib - v2.6 - is available from

      the following website, together with patches for the v2.5 software:


          MD5-signatures                    filenames

          --------------                    ---------

          7181205d70afcf75bb2240678b6be855  cracklib26_small.tgz

          247ad535f3e84bf586f7c31197ad1774  cracklib26_small.tgz.asc

          3933d0b56695f38535a5be3b57ccb60f  cracklib26_small.diff

          ec0e3714bc95ab2f2352a4438de17e7c  cracklib26_small.diff.asc

     ...and contact information is also available from that website.



Version: 2.6ui







(C) 1999-2000 All rights reserved.