loginmsg bug

Damien Miller djm at mindrot.org
Wed Jul 9 21:32:05 EST 2008


On Wed, 9 Jul 2008, Dag-Erling Smørgrav wrote:

> Damien Miller <djm at mindrot.org> writes:
> > I'd say the reporter disabled privsep and rigged a PAM module to display
> > a custom message (if they worked up to an exploit at all).
> >
> > The vulnerability criteria seem to be:
> >
> > 1. protocol 1 enabled
> > 2. privsep disabled
> > 3. successful authentication
> > 4. PAM accounting module in stack that returns attacker-supplied data
> 
> That's pretty much what I concluded as well.  He found something that
> looked like a classic bug (printf() with no format string) and set up a
> highly contrived scenario in which the bug is exploitable.
> 
> Anyway, the fix is trivial - add "%s" to the packet_disconnect() call in
> do_authloop().

Yes, I have already committed such a fix and have added -Wformat-security
to the default gcc 3.x and 4.x CFLAGS which would have caught this screwup.

I'm not going to rush out a release unless someone can point out a
commonly used PAM module that sends exploitable messages.

-d


More information about the openssh-unix-dev mailing list