=?iso-8859-2?Q?SecurID=20support=20for=20OpenSSH?=

Vern Staats staatsvr at asc.hpc.mil
Sat Apr 6 05:19:48 EST 2002 

I was reading this SecurID patch to openssh-3.1p1,
    List:     openssh-unix-dev
    Subject:  =?iso-8859-2?Q?SecurID=20support=20for=20OpenSSH?=
    From:     =?iso-8859-2?Q?V=E1clav=20Tomec?= <v_t_m at seznam.cz>
    Date:     2002-03-25 14:53:34
and think I've found a copy bugs, the patch for which is included
below.  First there's a an #ifdef'd if-statement which applies to
either another if-statement or to a free().  Second is a buffer
overrun on a 512-byte array.  This *might* be only exploitable by
root (or whoever runs sshd), if so then no big deal.  I didn't look
too deeply; it was easier to fix than to figure out how exploitable
it is.  The other fixed size arrays in the patch look safe.


*** openssh-3.1p1/auth2.c.orig	Thu Apr  4 15:38:07 2002
--- openssh-3.1p1/auth2.c	Thu Apr  4 15:38:46 2002
***************
*** 425,431 ****
--- 425,433 ----
  #if defined (SECURID) || defined (SECURID_OLD)
  	if (!authenticated && options.securid_authentication_via_kbd_int)
  		authenticated = auth_securid_kbd_int(authctxt, lang);
+ #ifdef USE_PAM
  	if (!authenticated && options.securid_fallback)
+ #endif
  #endif
  #ifdef USE_PAM
  	if (authenticated == 0 && options.pam_authentication_via_kbd_int)

*** openssh-3.1p1/auth2-securid3.c.orig	Thu Apr  4 15:21:45 2002
--- openssh-3.1p1/auth2-securid3.c	Thu Apr  4 15:38:00 2002
***************
*** 142,148 ****
  			debug("Couldn't read /etc/sdace.txt");
  			retval = 0;
  		} else {
! 			fscanf(pfdAcefile, "%s", szVarAce);
  			fclose(pfdAcefile);
  			if (putenv(szVarAce)) {
  				debug("Cannot putenv: %s", szVarAce);
--- 142,148 ----
  			debug("Couldn't read /etc/sdace.txt");
  			retval = 0;
  		} else {
! 			fscanf(pfdAcefile, "%511s", szVarAce);
  			fclose(pfdAcefile);
  			if (putenv(szVarAce)) {
  				debug("Cannot putenv: %s", szVarAce);

-- 
                "My company prefers to have that kind of decision made by
                 uninformed executives.  We call it "Empowerment".  --Dilbert
staatsvr at asc.hpc.mil
Vern Staats, ASC/HPTS, WPAFB OH 45433, 937-255-1616

More information about the openssh-unix-dev mailing list