thr3ads.net - openssh bugs - [Bug 3255] New: Problem in Pattern matching [Jan 2021]

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at mindrot.org

2021-Jan-24 18:08 UTC

[Bug 3255] New: Problem in Pattern matching

https://bugzilla.mindrot.org/show_bug.cgi?id=3255

            Bug ID: 3255
           Summary: Problem in Pattern matching
           Product: Portable OpenSSH
           Version: 8.4p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: security
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: andres at antai-group.com

Created attachment 3467
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3467&action=edit
PoC - triggers infinite loop in match_pattern()

I have just uncovered a problem that seems to occur in match_pattern(),
a malcrafted input can send the function into an infinite loop.

NOTE: As match_pattern() is invoked from auth.c [allowed_user() ->
ga_match() -> match_pattern() ] for authentication checks, there could
be a security impact under a some contexts, this needs to be
investigated. Just in case, I am opening the issue as private.

This affects both, the server (sshd) and the client (ssh - if you load
a config file).

Impact
- Availability of server/client application
- There could be impact on confidentiality - call flow from from auth.c
to ga_match() -> ga_match() -> match_pattern() has to be investigated.

I am attaching a test scenario in which client/server get stock in
match_pattern() loop when attempting to load a malcrafted config file.
Filename: "infinite-loop.conf"

Quick Testing: 

SERVER
/usr/sbin/sshd -f infinite-loop.conf

CLIENT
ssh -F infinite-loop.conf localhost

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

bugzilla-daemon at mindrot.org

2021-Jan-24 23:41 UTC

head link

[Bug 3255] Problem in Pattern matching

https://bugzilla.mindrot.org/show_bug.cgi?id=3255

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
This was mitigated last year in commit 05bcd0cadf160fd4 and should be
in the next release. It is still possible to make matching misbehave
using combinations of '*' and '?'.

How do you figure this has a confidentiality impact?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

openssh bugs - Jan 2021 - [Bug 3255] New: Problem in Pattern matching

[Bug 3255] New: Problem in Pattern matching

[Bug 3255] Problem in Pattern matching