Full Disclosure mailing list archives
Re: OpenSSH 3.5p1 Remote Root Exploit for FreeBSD
From: Markus Friedl <mfriedl () gmail com>
Date: Wed, 6 Jul 2011 19:53:55 +0200
no need to call pam dogshit :). the bug is neither in auth2-pam-freebsd.c nor libpam. it's last years libopie bug (CVE-2010-1938). http://twitter.com/msfriedl/status/87114829789278208 and follow ups. -m On Wed, Jul 06, 2011 at 11:54:29AM +0200, Dag-Erling Smørgrav wrote:
There is absolutely no way the bug is in auth2-pam-freebsd.c. It is clearly a stack smash, and auth2-pam-freebsd.c never inspects, modifies or stores the user name, or handle it in any way except: - receive a pointer to it from openssh and pass it on to pam_start(). - receive a pointer to it from libpam and pass it on to setproctitle() or debug() with appropriate format strings. The buffer overflow is either somewhere downstream of pam_start() or in a module. Running sshd with -d should tell you which; if it's in pam_start(), the last message you'll see is "PAM: initializing for $user". If you see anything after that (the next message should be "PAM: setting PAM_RHOST to $rhost"), it's in a module. You can also comment out the entire contents of /etc/pam.d/sshd and add the following at the bottom: auth required pam_permit.so account required pam_permit.so session required pam_permit.so password required pam_permit.so Then run the exploit. If it still works, the bug is in libpam; if it doesn't, it's in a module. You can figure out which module by uncommenting lines, one by one, until the exploit starts working again. BTW, libpam in 4.11 is not "the FreeBSD pam library itself", it's Linux-PAM, which is--or at least was, at the time--a pile of dogshit. FreeBSD didn't get its own PAM library (OpenPAM) until 5.0. DES -- Dag-Erling Sm?rgrav - des () des no
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: OpenSSH 3.5p1 Remote Root Exploit for FreeBSD Darren Tucker (Jul 01)
- <Possible follow-ups>
- Re: OpenSSH 3.5p1 Remote Root Exploit for FreeBSD Dag-Erling Smørgrav (Jul 06)
- Re: OpenSSH 3.5p1 Remote Root Exploit for FreeBSD Markus Friedl (Jul 06)