loginmsg bug

Dag-Erling Smørgrav des at des.no
Wed Jul 9 20:04:07 EST 2008


Cf. http://seclists.org/fulldisclosure/2008/Jul/0090.html

This Mrdkaaa character claims to have exploited this, but does not say
how.

The issue is that if do_pam_account() fails, do_authloop() will call
packet_disconnect() with loginmsg as the format string (classic
printf(foo) instead of printf("%s", foo) bug).

The stuff that do_authloop() appends to loginmsg is harmless (the user
name is safe, since at this point we know the account exists).  The
question is, what does loginmsg contain before do_authloop()?

Can loginmsg at this point contain the "Last login" text?  That one's
unsafe since it contains the result of a reverse DNS lookup.

DES
-- 
Dag-Erling Smørgrav - des at des.no


More information about the openssh-unix-dev mailing list