Possible failure to scrub data in file 'openbsd-compat/bsd-cray.c' in OpenSSH-7.1p1

Ben Lindstrom mouring at offwriting.org
Fri Jan 15 02:20:47 AEDT 2016


This is for UNICOS Cray.  And currently I know that the OS and hardware 
have been officially retired.  I have a question into one of my contacts 
at Cray to see if they know of any customers still running this old 
hardware, and if not then I'd suggest we strip the UNICOS port out as 
dead wood.

- Ben

Bill Parker wrote:
> Hello All,
>
> In reviewing some code in file 'bsd-cray.c', I found a possible
> issue where data in the following code may not be properly scrubbed
> in the case IA_BACKDOOR in function 'cray_setup', which is below:
>
>          case IA_BACKDOOR:
>                  /* XXX: can we memset it to zero here so save some of this
> */
>                  strlcpy(ue.ue_name, "root", sizeof(ue.ue_name));
>                  strlcpy(ue.ue_dir, "/", sizeof(ue.ue_dir));
>                  strlcpy(ue.ue_shell, "/bin/sh", sizeof(ue.ue_shell));
>
>                  ue.ue_passwd[0] = '\0';
>                  ue.ue_age[0] = '\0';
>                  ue.ue_comment[0] = '\0';
>                  ue.ue_loghost[0] = '\0';
>                  ue.ue_logline[0] = '\0';
>
>                  ue.ue_uid = -1;
>                  ue.ue_nice[UDBRC_INTER] = 0;
>
> where ue.ue_passwd[0] is set to NUL, there exists the potential that
> any data beyond ue.ue_passwd[0] is still accessible in memory as the
> following test program below demonstrates:
>
> #include<stdio.h>
>
> int main(void)
> {
>      unsigned int n, l;
>      char ue[50] = "ABCDEFGHIJKLMNPOQRSTUVWXYZ0123456789";
>
>      ue[0] = '\0';   /* set this to NULL */
>
>      printf("Contents of char ue[0] is: %s\n", ue);
>
>      printf("Contents of char ue[1-36] is:");
>
>      for (n = 1; n<  36; n++)
>          printf("%c", ue[n]);
>      printf("\n");
>
>      return 0;
> }
>
> [bill at moocow ~]$ ./a.out
> Contents of char ue[0] is:
> Contents of char ue[1-36] is:BCDEFGHIJKLMNPOQRSTUVWXYZ0123456789
>
> As you can see, data beyond ue[0] is still accessible, should the
> code not be changed to use memset() to scrub any sensitive information
> still stored in various arrays in IA_BACKDOOR (and perhaps other
> areas of code in bsd-cray.c, etc)?
>
> Bill Parker (wp02855 at gmail dot com)
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



More information about the openssh-unix-dev mailing list