Re: OpenSSH 3.5p1 Remote Root Exploit for FreeBSD

[Dag-Erling Smørgrav <des () des no>]

There is absolutely no way the bug is in auth2-pam-freebsd.c.  It is
clearly a stack smash, and auth2-pam-freebsd.c never inspects, modifies
or stores the user name, or handle it in any way except:

 - receive a pointer to it from openssh and pass it on to pam_start().

 - receive a pointer to it from libpam and pass it on to setproctitle()
   or debug() with appropriate format strings.

The buffer overflow is either somewhere downstream of pam_start() or in
a module.  Running sshd with -d should tell you which; if it's in
pam_start(), the last message you'll see is "PAM: initializing for
$user".  If you see anything after that (the next message should be
"PAM: setting PAM_RHOST to $rhost"), it's in a module.

You can also comment out the entire contents of /etc/pam.d/sshd and add
the following at the bottom:

auth            required        pam_permit.so
account         required        pam_permit.so
session         required        pam_permit.so
password        required        pam_permit.so

Then run the exploit.  If it still works, the bug is in libpam; if it
doesn't, it's in a module.  You can figure out which module by
uncommenting lines, one by one, until the exploit starts working again.

BTW, libpam in 4.11 is not "the FreeBSD pam library itself", it's
Linux-PAM, which is--or at least was, at the time--a pile of dogshit.
FreeBSD didn't get its own PAM library (OpenPAM) until 5.0.

DES
-- 
Dag-Erling Smørgrav - des () des no

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/