openssh bugs - Sep 2003 - [Bug 676] auth-pam.c trashes stack in sshpam_thread_conv() with more than one message

http://bugzilla.mindrot.org/show_bug.cgi?id=676

           Summary: auth-pam.c trashes stack in sshpam_thread_conv() with
                    more than one message
           Product: Portable OpenSSH
           Version: 3.7p1
          Platform: UltraSparc
        OS/Version: Solaris
            Status: NEW
          Severity: security
          Priority: P2
         Component: PAM support
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: paul.a.bolton at bt.com


If a PAM module has more than one message set in a single conversation, hence
more than one response, auth-pam.c will start trashing the stack. This was run
on Solaris 8 with patch 108993-22. This had been noticed as we were experiencing
SIGBUS faults from sshd.

The problem seems to be in sshpam_thread_conv() in that the 3rd argument (struct
pam_response **resp) is treated as a array of pointers to struct pam_response
and not a pointer to an array of struct pam_response.

This only occurs if the PAM module has more than one response.

Obviously, as the responses are from the unauthenticated user and in effect
start trampling on the stack (first to go is the msg struct) that this could be
exploitable.

Code will be attached of the change. As for whether this could be exploitable, I
 haven't looked into this side of the problem sufficiently to answer this.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=676





------- Additional Comments From paul.a.bolton at bt.com  2003-09-18 18:01
-------
Created an attachment (id=423)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=423&action=view)
change references to the PAM resp structure as described in the bug




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=676

djm at mindrot.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           groupset|0                           |256



------- Additional Comments From djm at mindrot.org  2003-09-18 19:05 -------
Please don't use context diffs, unified diffs are much easier to read.

Marking bug private




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=676





------- Additional Comments From djm at mindrot.org  2003-09-18 19:06 -------
Created an attachment (id=426)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=426&action=view)
Don't clobber pam replies

Maybe this



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=676





------- Additional Comments From paul.a.bolton at bt.com  2003-09-18 20:32
-------
That works.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.