Bug 1194213 - xrdp: denial of service when validating user accounts against plain passwd files/via shadow-utils
Summary: xrdp: denial of service when validating user accounts against plain passwd fi...
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1194214 1194215
TreeView+ depends on / blocked
Reported: 2015-02-19 10:54 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:28 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-07-15 18:42:18 UTC

Attachments (Terms of Use)

Description Vasyl Kaigorodov 2015-02-19 10:54:16 UTC
It was discovered by Ken Milnore that xrdp 0.6.1 and earlier, when
validating user accounts against plain passwd files or via
shadow-utils, does not check for NULL returns from crypt(). [1]

--- sesman/verify_user.c ---
  encr = crypt(pass,salt);
  if (g_strncmp(encr, hash, 34) != 0)
    return 0;
  return 1;

A NULL return crashes the xrdp-sesman daemon resulting in an xrdp
server denial of service (for all modules that use xrdp's session
manager for user authentication via old-style passwd files or via
shadow passwords).

This has been fixed by upstream in its development branch. [2]

[1] http://sourceforge.net/p/xrdp/mailman/message/32985523/
[2] https://github.com/neutrinolabs/xrdp/commit/851c762ee722

Comment 1 Vasyl Kaigorodov 2015-02-19 10:54:39 UTC
Created xrdp tracking bugs for this issue:

Affects: fedora-all [bug 1194214]
Affects: epel-all [bug 1194215]

Comment 2 Itamar Reis Peixoto 2015-07-15 18:42:18 UTC
fixed in rawhide

Comment 3 Fedora Update System 2015-07-30 00:45:52 UTC
xrdp-0.6.1-11.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.