loginmsg bug
Damien Miller
djm at mindrot.org
Wed Jul 9 20:43:06 EST 2008
On Wed, 9 Jul 2008, Dag-Erling Smørgrav wrote:
> Dag-Erling Smørgrav <des at des.no> writes:
> > Can loginmsg at this point contain the "Last login" text? That one's
> > unsafe since it contains the result of a reverse DNS lookup.
>
> a quick check suggests it can't, and AFAICT the offending code runs in
> the unprivileged child, so I really can't see how he exploited it.
>
> Does anybody know what's going on?
I'd say the reporter disabled privsep and rigged a PAM module to display
a custom message (if they worked up to an exploit at all).
The vulnerability criteria seem to be:
1. protocol 1 enabled
2. privsep disabled
3. successful authentication
4. PAM accounting module in stack that returns attacker-supplied data
-d
More information about the openssh-unix-dev
mailing list