loginmsg bug
Dag-Erling Smørgrav
des at des.no
Wed Jul 9 21:10:11 EST 2008
Damien Miller <djm at mindrot.org> writes:
> I'd say the reporter disabled privsep and rigged a PAM module to display
> a custom message (if they worked up to an exploit at all).
>
> The vulnerability criteria seem to be:
>
> 1. protocol 1 enabled
> 2. privsep disabled
> 3. successful authentication
> 4. PAM accounting module in stack that returns attacker-supplied data
That's pretty much what I concluded as well. He found something that
looked like a classic bug (printf() with no format string) and set up a
highly contrived scenario in which the bug is exploitable.
Anyway, the fix is trivial - add "%s" to the packet_disconnect() call in
do_authloop().
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the openssh-unix-dev
mailing list