Fwd: [oss-security] *Possible* ssh vulnerability

Dag-Erling Smørgrav des at des.no
Fri May 9 20:08:04 EST 2014

Damien Miller <djm at mindrot.org> writes:
> The memory dump seems in indicate a post-auth process (and possibly
> sftp-server/internal-sftp), so it's surprising it could see the
> password hash to begin with and it would be highly unlikely to see
> anything else that is sensitive.

(caveat: my recollection of the privsep model is slightly hazy; is there
a whitepaper somewhere?)

The unprivileged parent can contain a copy of /etc/shadow from calling
getpwnam() at some point before do_setusercontext().  This hypothesis is
strengthened by the fact that the passwd line in the dump looks like it
has been parsed for use in a struct passwd: the text fields are
terminated by NULs instead of colons, but the numeric fields aren't
because strtoul() doesn't require it.  This passwd line seems to have
overwritten a previous, longer passwd line for a user whose home
directory (and presumably login) ends with "oe" and who uses zsh instead
of bash.

However, that process's /proc/*/mem is only readable by root since it
started out with root credentials.

The most intriguing thing about this dump is that it seems to contain a
hex dump of a syslog message from Linux-PAM's pam_unix (starting at
002516d0).  I wouldn't be surprised to see the message itself, since
this is the same process that called pam_open_session(), but I really
wouldn't expect a hex dump of that message.

On the whole, I agree that it is most likely a hoax.

Dag-Erling Smørgrav - des at des.no

More information about the openssh-unix-dev mailing list