[Bug 3255] New: Problem in Pattern matching

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Jan 25 05:08:16 AEDT 2021


https://bugzilla.mindrot.org/show_bug.cgi?id=3255

            Bug ID: 3255
           Summary: Problem in Pattern matching
           Product: Portable OpenSSH
           Version: 8.4p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: security
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: andres at antai-group.com

Created attachment 3467
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3467&action=edit
PoC - triggers infinite loop in match_pattern()

I have just uncovered a problem that seems to occur in match_pattern(),
a malcrafted input can send the function into an infinite loop.

NOTE: As match_pattern() is invoked from auth.c [allowed_user() ->
ga_match() -> match_pattern() ] for authentication checks, there could
be a security impact under a some contexts, this needs to be
investigated. Just in case, I am opening the issue as private.

This affects both, the server (sshd) and the client (ssh - if you load
a config file).

Impact
- Availability of server/client application
- There could be impact on confidentiality - call flow from from auth.c
to ga_match() -> ga_match() -> match_pattern() has to be investigated.

I am attaching a test scenario in which client/server get stock in
match_pattern() loop when attempting to load a malcrafted config file.
Filename: "infinite-loop.conf"

Quick Testing: 

SERVER
/usr/sbin/sshd -f infinite-loop.conf

CLIENT
ssh -F infinite-loop.conf localhost

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list