I was reading this SecurID patch to openssh-3.1p1,
List: openssh-unix-dev
Subject: =?iso-8859-2?Q?SecurID=20support=20for=20OpenSSH? From:
=?iso-8859-2?Q?V=E1clav=20Tomec?= <v_t_m at seznam.cz>
Date: 2002-03-25 14:53:34
and think I've found a copy bugs, the patch for which is included
below. First there's a an #ifdef'd if-statement which applies to
either another if-statement or to a free(). Second is a buffer
overrun on a 512-byte array. This *might* be only exploitable by
root (or whoever runs sshd), if so then no big deal. I didn't look
too deeply; it was easier to fix than to figure out how exploitable
it is. The other fixed size arrays in the patch look safe.
*** openssh-3.1p1/auth2.c.orig Thu Apr 4 15:38:07 2002
--- openssh-3.1p1/auth2.c Thu Apr 4 15:38:46 2002
***************
*** 425,431 ****
--- 425,433 ----
#if defined (SECURID) || defined (SECURID_OLD)
if (!authenticated && options.securid_authentication_via_kbd_int)
authenticated = auth_securid_kbd_int(authctxt, lang);
+ #ifdef USE_PAM
if (!authenticated && options.securid_fallback)
+ #endif
#endif
#ifdef USE_PAM
if (authenticated == 0 && options.pam_authentication_via_kbd_int)
*** openssh-3.1p1/auth2-securid3.c.orig Thu Apr 4 15:21:45 2002
--- openssh-3.1p1/auth2-securid3.c Thu Apr 4 15:38:00 2002
***************
*** 142,148 ****
debug("Couldn't read /etc/sdace.txt");
retval = 0;
} else {
! fscanf(pfdAcefile, "%s", szVarAce);
fclose(pfdAcefile);
if (putenv(szVarAce)) {
debug("Cannot putenv: %s", szVarAce);
--- 142,148 ----
debug("Couldn't read /etc/sdace.txt");
retval = 0;
} else {
! fscanf(pfdAcefile, "%511s", szVarAce);
fclose(pfdAcefile);
if (putenv(szVarAce)) {
debug("Cannot putenv: %s", szVarAce);
--
"My company prefers to have that kind of decision made by
uninformed executives. We call it "Empowerment".
--Dilbert
staatsvr at asc.hpc.mil
Vern Staats, ASC/HPTS, WPAFB OH 45433, 937-255-1616
