Jedi/Sector One's random thoughts

Another OpenSSH-portable vulnerability?

written by jedi on July 9th, 2008 @ 09:42 AM

Yet another vulnerability in the PAM code of OpenSSH-portable. A basic format-string bug. Of course if you are running FreeBSD, the base OpenSSH is as affected as the port. Of course, almost every Linux distro is affected. And of course the latest release (5.0) is affected.

Simple fix:

Edit auth1.c and replace

        packet_disconnect(msg);

with

        packet_disconnect("%s", msg);

OpenBSD is not affected, this is only in OpenSSH-portable.

Published today by Mrdkaaa for the pwnie awards.

Update: it doesn't seem exploitable in the real world, though, see That thread, pointed out by Greg (thanks!)

3 comments

Comments

Timo on 09 Jul 18:44

I’ve been reading your blog through RSS, and noticed that the links point to http://127.0.0.1:3000/ instead of http://00f.net/
Denis on 09 Jul 20:22

Same comment as Timo :)

Plus, I think you have a typo in your post : s/OpenBSD/OpenSSH/ ;)
Greg on 10 Jul 11:50

Thanx to bringing this bug to our attention :).

I guess he would say OpenBSD’s OpenSSH (not the same source code as OpenSSH-Portable).

In complement, see the thread on openssh-unix-dev: loginmsg bug . This bug doesn’t seem exploitable (or if someone – with no local account and write permissions on PAM files – find a way to control loginmsg :) ).

Comments are closed

Frank DENIS

Here's my little blog about computing, music, nails and everything cool.

Search

Recent

Articles feed

How to flush the resolver cache on OSX (November 20th)
Recent security flaws you might care about (November 18th)
Yet another fast CSS3 selector implementation (November 12th)
Big life secret: how I manage my money (November 7th)
What's the fastest in-memory associative arrays library? (November 6th)
Source Wars, an overview of OpenBSD 4.4 by its coders (November 5th)
A zero-knowledge password authentication method (November 4th)
GEMA is now open source (November 2nd)
Yes, 6 x 9 = 42 (November 2nd)
Online version of OpenOffice.org 3 (October 29th)
C++ backend for haXe and AS3->haXe converter (October 28th)
Don't forget that clickjacking is still with us (October 27th)
Optimize your Firefox SQLite databases (October 26th)
Matthew Dillon's NYCBSDCon 2008 slides (October 26th)
Ruby off Rails (October 26th)

Comments feed

doxa on Big life secret: how I manage my money
H on Recent security flaws you might care about
paul tergeist on Big life secret: how I manage my money
xave on Optimize your Firefox SQLite databases
Frank on Big life secret: how I manage my money
Damien on Big life secret: how I manage my money
Mathieu on Big life secret: how I manage my money
doxa on Big life secret: how I manage my money
Steve F. on What's the fastest in-memory associative arrays library?
Julien on Big life secret: how I manage my money
JDall on Optimize your Firefox SQLite databases
Jean-Baptiste Quenot on Yes, 6 x 9 = 42
minusf on A messy list of worthy software, part #1
minusf on A messy list of worthy software, part #1
Jedi on Prototype 1.6.0.3 has been released

tags:

00f,blog adams age ajax apache maxkeepaliverequests assembler assembly audition,ears authentication bank benchmark,ruby,php blog bluetooth,sniffer bouncer broadcom,wireless browser bugs cabinet cache center chrome clickjacking close code insee code postal communes concurrency connection coordonnées cosinus crypto css css3 data database database engine disk scheduler djb dns douglas dragonflybsd dying ecommerce emacs embedded engine excel explorer fast fastcgi fdm filesystem filesystem,chironfs filesystems,ufs2 firefox flash gema gentoo gettext google graphics hack hammer hash haxe hip-hop http ie internet internet explorer,memory leaks ip ipv6 ipv6,bsd,itojun is java java,javascript,coma javascript joke jpake libpuzzle library lighttpd linux lockless mail markdown,textile,bbcode,rendering mda memory,cluster metasploit microsoft moderation,spam,crm114 money myisam mysql mysql,myisam,concurrency mysql,udf,variables nginx nostalgy objects online openbsd openbsd 4.1 openbsd kernel tlb openbsd,buffer,cache openbsd,song openoffice openoffice,osx openssh openssl opera optimization os,counters osx pacman pake patch,mbuf,ipv6 photoshop,graphics php php 5.2.5 php optimization php sucks process,alarmer,timeout project management prototype puzzle,library,similar,images raid raid,megaraid rails rails,scalability reiser resolver rest,http,put ruby scalability security security,openbsd,ipv6 selector server shared sinatra sinus software spam sql subdomain tokyo translation,html,gettext trends trigo tyrant ucarp vmware vulnerability vulnerability,php,phpinfo web webdav xbox xbox OpenBSD xhtml xmlhttprequest xsrf yahoo yougetit zfs

Misc

Projects: Pure-FTPd; La coterie
Cool links: OpenBSD; Typhon

Options:

Colors

orange
blue
green
pink
cyan
red
violet

Sections

Another OpenSSH-portable vulnerability?

posted in:

tags:

comments are closed

Comments

Comments are closed

Frank DENIS

Search

Recent

Archives

Categories

tags:

Misc

Options:

Size

Colors