loginmsg bug
Dag-Erling Smørgrav
des at des.no
Wed Jul 9 20:04:07 EST 2008
Cf. http://seclists.org/fulldisclosure/2008/Jul/0090.html
This Mrdkaaa character claims to have exploited this, but does not say
how.
The issue is that if do_pam_account() fails, do_authloop() will call
packet_disconnect() with loginmsg as the format string (classic
printf(foo) instead of printf("%s", foo) bug).
The stuff that do_authloop() appends to loginmsg is harmless (the user
name is safe, since at this point we know the account exists). The
question is, what does loginmsg contain before do_authloop()?
Can loginmsg at this point contain the "Last login" text? That one's
unsafe since it contains the result of a reverse DNS lookup.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the openssh-unix-dev
mailing list