[Bug 111] New: sshd syslogs raw untrusted data

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Feb 13 10:20:32 EST 2002


           Summary: sshd syslogs raw untrusted data
           Product: Portable OpenSSH
           Version: -current
          Platform: UltraSparc
        OS/Version: Solaris
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: peak at argo.troja.mff.cuni.cz

There are multiple occurences of log() et al using untrusted data (received from
a client, read from ~/.ssh/*), including any special characters, as a part of
the message. On some systems, namely Solaris (up to and including version 8),
this is a bad thing because syslog() passes any character it gets to syslogd,
including a newline that is interpreted as a message separator. For instance,
when a single LF is sent to port 22, the following is logged:

Feb 12 23:29:56 blah sshd[1234]: Bad protocol version identification '
Feb 12 23:29:56 blah ' from

This way, sshd could be abused to generate bogus syslog messages by remote (!)
users. Yes, such an implementation of syslog()/syslogd is stupid but it is much
easier to patch OpenSSH than Solaris. :)

I made a patch against 3.0.2p1 processing untrusted data with vis() whenever
they are passed to log() et al (I had to re-add vis.[ch]) but I am not sure
whether I got all cases covered. It would probably be more efficient to add
vis() to do_log()...as long as the potential ambiguity in cases where more than
one piece of untrusted data is logged (e.g. method and authctx->user in
auth_log()) is considered harmless.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-unix-dev mailing list