loginmsg bug

[Damien Miller]

On Wed, 9 Jul 2008, Dag-Erling Smørgrav wrote:

> Cf. http://seclists.org/fulldisclosure/2008/Jul/0090.html
> 
> This Mrdkaaa character claims to have exploited this, but does not say
> how.

hmm, loginmsg starts empty and is filled from three sources:

- The contents of a sshd_config:Banner file (if any)
- Password expiry messages generated by sshd
- Messages generated by PAM

Of these three, the PAM messages are the only ones that could
possibly be attacker-controlled (e.g. echoing back a deliberately
corrupted username), but I don't know off the top of my head whether
any PAM modules will actually do that. The actual bug happens in the path
that handles a failed PAM account check, so it will have accrued these
messages.

The second difficulty in exploiting this in the wild is that that
the packet_disconnect() call should only ever happen in the unprivileged
slave process. Maybe the reporter disabled privsep for his/her demo?

-d