Re: [OATH-Toolkit-help] libpam-oath vulnerable to replay of OTP as result of incorrectly parsing comments in users file?

Sat, 21 Dec 2013 16:21:13 -0800 

On 16.12.2013 22:43, Simon Josefsson wrote:

Thanks for the report and looking into this issue.  Alas the timing
here was bad, and I am just returning from vacation and must finish
several things before season holidays -- if someone has worked out a
patch and can do testing that it works and solves the problem I can
review and apply and release it.   Ilkka, how much have you tested your
patch?


That one was more like a rough sketch... (iow, I didn't)

The attached one seems to work for me:

--- usersfile before:
#HOTP   nobody  -       00      1       812658  2013-12-21T19:40:21L
# HOTP  nobody  -       11
HOTP    someone -       22
HOTP    nobody  -       1234
HOTP    nobody  -       33
---

- authenticate with OTP=158134 (key 1234, counter 4) -> accepted.
- retry with the same OTP -> denied, as expected.

--- usersfile after:
#HOTP   nobody  -       00      1       812658  2013-12-21T19:40:21L
# HOTP  nobody  -       11
HOTP    someone -       22
HOTP    nobody  -       1234    4       158134  2013-12-21T19:40:57L
HOTP    nobody  -       33
---

I couldn't get back to this sooner, sorry.



--- oath-toolkit-2.4.0/liboath/usersfile.c.orig 2013-12-21 18:24:55.000000000 
+0200
+++ oath-toolkit-2.4.0/liboath/usersfile.c      2013-12-21 19:51:03.000000000 
+0200
@@ -251,24 +251,23 @@
       char *origline;
       const char *user, *type, *passwd, *secret;
       int r;
+      unsigned digits, totpstepsize;
 
       origline = strdup (*lineptr);
 
       type = strtok_r (*lineptr, whitespace, &saveptr);
       if (type == NULL)
-       continue;
+        goto skip_line;
+
+      /* Read token type */
+      if (parse_type (type, &digits, &totpstepsize) != 0)
+        goto skip_line;
 
       /* Read username */
       user = strtok_r (NULL, whitespace, &saveptr);
       if (user == NULL || strcmp (user, username) != 0
          || got_users++ != skipped_users)
-       {
-         r = fprintf (outfh, "%s", origline);
-         free (origline);
-         if (r <= 0)
-           return OATH_PRINTF_ERROR;
-         continue;
-       }
+        goto skip_line;
 
       passwd = strtok_r (NULL, whitespace, &saveptr);
       if (passwd == NULL)
@@ -284,6 +283,14 @@
       free (origline);
       if (r <= 0)
        return OATH_PRINTF_ERROR;
+      continue;
+       
+    skip_line: 
+      r = fprintf (outfh, "%s", origline);
+      free (origline);
+      if (r <= 0)
+        return OATH_PRINTF_ERROR;
+      continue;
     }
 
   return OATH_OK;






















					Reply via email to