In co-operation with Maksymilian Arciemowicz we were analysing implementation of  OPIE Authentication System on FreeBSD. The result is discovered off-by-one vulnerability in library ‘libopie’. The most interesting point of this vulnerability is a possibility to exploit it pre-auth remotely!

A lot of softwares using this library for authentication module. For example FreeBSD team change a little the source of  the OpenSSH. They added in some places the code which use the libopie 😉 The same changed code is used by DragnoflyBSD. OpenSuSe is using libopie too. Novell systems too.

We’ve analysed exploiting way in default FTP daemon for FreeBSD 8.0. Official FreeBSD’s advisory is available here.

Out advisory is available here and here and… check the bugtraq list 😉

Best regards,

Adam Zabrocki

Comments

  1. OPIE "__opiereadrec()" Off-by-One Vulnerability « Bug-Blog on 05.27.2010

    […] Adam Zabrocki: http://blog.pi3.com.pl/?p=111 […]

  2. z33d on 05.29.2010

    oczywiscie dzialajacego exploita nie zrobiliscie na zadna platforme?

  3. admin on 05.30.2010

    Nie jest mozliwe zrobienie code exec z tego. Nie mniej jednak bardzo mi sie spodobal ten blad i temu jest publikacja…

Leave a Reply




CAPTCHA * Time limit is exhausted. Please reload the CAPTCHA.