[Bug 3255] New: Problem in Pattern matching
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon Jan 25 05:08:16 AEDT 2021
https://bugzilla.mindrot.org/show_bug.cgi?id=3255
Bug ID: 3255
Summary: Problem in Pattern matching
Product: Portable OpenSSH
Version: 8.4p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: security
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: andres at antai-group.com
Created attachment 3467
--> https://bugzilla.mindrot.org/attachment.cgi?id=3467&action=edit
PoC - triggers infinite loop in match_pattern()
I have just uncovered a problem that seems to occur in match_pattern(),
a malcrafted input can send the function into an infinite loop.
NOTE: As match_pattern() is invoked from auth.c [allowed_user() ->
ga_match() -> match_pattern() ] for authentication checks, there could
be a security impact under a some contexts, this needs to be
investigated. Just in case, I am opening the issue as private.
This affects both, the server (sshd) and the client (ssh - if you load
a config file).
Impact
- Availability of server/client application
- There could be impact on confidentiality - call flow from from auth.c
to ga_match() -> ga_match() -> match_pattern() has to be investigated.
I am attaching a test scenario in which client/server get stock in
match_pattern() loop when attempting to load a malcrafted config file.
Filename: "infinite-loop.conf"
Quick Testing:
SERVER
/usr/sbin/sshd -f infinite-loop.conf
CLIENT
ssh -F infinite-loop.conf localhost
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list