[Bug 676] auth-pam.c trashes stack in sshpam_thread_conv() with more than one message

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Sep 18 17:57:49 EST 2003


http://bugzilla.mindrot.org/show_bug.cgi?id=676

           Summary: auth-pam.c trashes stack in sshpam_thread_conv() with
                    more than one message
           Product: Portable OpenSSH
           Version: 3.7p1
          Platform: UltraSparc
        OS/Version: Solaris
            Status: NEW
          Severity: security
          Priority: P2
         Component: PAM support
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: paul.a.bolton at bt.com


If a PAM module has more than one message set in a single conversation, hence
more than one response, auth-pam.c will start trashing the stack. This was run
on Solaris 8 with patch 108993-22. This had been noticed as we were experiencing
SIGBUS faults from sshd.

The problem seems to be in sshpam_thread_conv() in that the 3rd argument (struct
pam_response **resp) is treated as a array of pointers to struct pam_response
and not a pointer to an array of struct pam_response.

This only occurs if the PAM module has more than one response.

Obviously, as the responses are from the unauthenticated user and in effect
start trampling on the stack (first to go is the msg struct) that this could be
exploitable.

Code will be attached of the change. As for whether this could be exploitable, I
 haven't looked into this side of the problem sufficiently to answer this.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list