Possible failure to scrub data in file 'openbsd-compat/bsd-cray.c' in OpenSSH-7.1p1

Bill Parker wp02855 at gmail.com
Thu Jan 14 04:56:39 AEDT 2016


Hello All,

In reviewing some code in file 'bsd-cray.c', I found a possible
issue where data in the following code may not be properly scrubbed
in the case IA_BACKDOOR in function 'cray_setup', which is below:

        case IA_BACKDOOR:
                /* XXX: can we memset it to zero here so save some of this
*/
                strlcpy(ue.ue_name, "root", sizeof(ue.ue_name));
                strlcpy(ue.ue_dir, "/", sizeof(ue.ue_dir));
                strlcpy(ue.ue_shell, "/bin/sh", sizeof(ue.ue_shell));

                ue.ue_passwd[0] = '\0';
                ue.ue_age[0] = '\0';
                ue.ue_comment[0] = '\0';
                ue.ue_loghost[0] = '\0';
                ue.ue_logline[0] = '\0';

                ue.ue_uid = -1;
                ue.ue_nice[UDBRC_INTER] = 0;

where ue.ue_passwd[0] is set to NUL, there exists the potential that
any data beyond ue.ue_passwd[0] is still accessible in memory as the
following test program below demonstrates:

#include <stdio.h>

int main(void)
{
    unsigned int n, l;
    char ue[50] = "ABCDEFGHIJKLMNPOQRSTUVWXYZ0123456789";

    ue[0] = '\0';   /* set this to NULL */

    printf("Contents of char ue[0] is: %s\n", ue);

    printf("Contents of char ue[1-36] is:");

    for (n = 1; n < 36; n++)
        printf("%c", ue[n]);
    printf("\n");

    return 0;
}

[bill at moocow ~]$ ./a.out
Contents of char ue[0] is:
Contents of char ue[1-36] is:BCDEFGHIJKLMNPOQRSTUVWXYZ0123456789

As you can see, data beyond ue[0] is still accessible, should the
code not be changed to use memset() to scrub any sensitive information
still stored in various arrays in IA_BACKDOOR (and perhaps other
areas of code in bsd-cray.c, etc)?

Bill Parker (wp02855 at gmail dot com)


More information about the openssh-unix-dev mailing list