loginmsg bug

Damien Miller djm at mindrot.org
Wed Jul 9 20:36:22 EST 2008


On Wed, 9 Jul 2008, Damien Miller wrote:

> On Wed, 9 Jul 2008, Dag-Erling Smørgrav wrote:
> 
> > Cf. http://seclists.org/fulldisclosure/2008/Jul/0090.html
> > 
> > This Mrdkaaa character claims to have exploited this, but does not say
> > how.
> 
> hmm, loginmsg starts empty and is filled from three sources:
> 
> - The contents of a sshd_config:Banner file (if any)
> - Password expiry messages generated by sshd
> - Messages generated by PAM
> 
> Of these three, the PAM messages are the only ones that could
> possibly be attacker-controlled (e.g. echoing back a deliberately
> corrupted username), but I don't know off the top of my head whether
> any PAM modules will actually do that. The actual bug happens in the path
> that handles a failed PAM account check, so it will have accrued these
> messages.

Actually, it couldn't be the username that is the vector because we
sanitise that. It would have to be (as you suggested originally) DNS
or something else from the local environment.

Populating loginmsg with lastlog happens postauth (at the time the 
interactive session is established). An exception to this would be
hosts where an administrator has put pam_lastlog.so in the PAM account
stack.

-d


More information about the openssh-unix-dev mailing list