Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Bugs
[Bug 676] auth-pam.c trashes stack in sshpam_thread_conv() with more than one message
bugzilla-daemon at mindrot
Sep 17, 2003, 11:57 PM
Post #1 of 5 (700 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=676

Summary: auth-pam.c trashes stack in sshpam_thread_conv() with
more than one message
Product: Portable OpenSSH
Version: 3.7p1
Platform: UltraSparc
OS/Version: Solaris
Status: NEW
Severity: security
Priority: P2
Component: PAM support
AssignedTo: openssh-bugs@mindrot.org
ReportedBy: paul.a.bolton@bt.com


If a PAM module has more than one message set in a single conversation, hence
more than one response, auth-pam.c will start trashing the stack. This was run
on Solaris 8 with patch 108993-22. This had been noticed as we were experiencing
SIGBUS faults from sshd.

The problem seems to be in sshpam_thread_conv() in that the 3rd argument (struct
pam_response **resp) is treated as a array of pointers to struct pam_response
and not a pointer to an array of struct pam_response.

This only occurs if the PAM module has more than one response.

Obviously, as the responses are from the unauthenticated user and in effect
start trampling on the stack (first to go is the msg struct) that this could be
exploitable.

Code will be attached of the change. As for whether this could be exploitable, I
haven't looked into this side of the problem sufficiently to answer this.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 676] auth-pam.c trashes stack in sshpam_thread_conv() with more than one message [ In reply to ]
bugzilla-daemon at mindrot
Sep 18, 2003, 12:01 AM
Post #2 of 5 (701 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=676





------- Additional Comments From paul.a.bolton@bt.com 2003-09-18 18:01 -------
Created an attachment (id=423)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=423&action=view)
change references to the PAM resp structure as described in the bug




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 676] auth-pam.c trashes stack in sshpam_thread_conv() with more than one message [ In reply to ]
bugzilla-daemon at mindrot
Sep 18, 2003, 1:05 AM
Post #3 of 5 (697 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=676

djm@mindrot.org changed:

What |Removed |Added
----------------------------------------------------------------------------
groupset|0 |256



------- Additional Comments From djm@mindrot.org 2003-09-18 19:05 -------
Please don't use context diffs, unified diffs are much easier to read.

Marking bug private




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 676] auth-pam.c trashes stack in sshpam_thread_conv() with more than one message [ In reply to ]
bugzilla-daemon at mindrot
Sep 18, 2003, 1:06 AM
Post #4 of 5 (691 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=676





------- Additional Comments From djm@mindrot.org 2003-09-18 19:06 -------
Created an attachment (id=426)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=426&action=view)
Don't clobber pam replies

Maybe this



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 676] auth-pam.c trashes stack in sshpam_thread_conv() with more than one message [ In reply to ]
bugzilla-daemon at mindrot
Sep 18, 2003, 2:32 AM
Post #5 of 5 (691 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=676





------- Additional Comments From paul.a.bolton@bt.com 2003-09-18 20:32 -------
That works.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal