bugzilla-daemon at mindrot.org
2021-Jan-24 18:08 UTC
[Bug 3255] New: Problem in Pattern matching
https://bugzilla.mindrot.org/show_bug.cgi?id=3255 Bug ID: 3255 Summary: Problem in Pattern matching Product: Portable OpenSSH Version: 8.4p1 Hardware: amd64 OS: Linux Status: NEW Severity: security Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: andres at antai-group.com Created attachment 3467 --> https://bugzilla.mindrot.org/attachment.cgi?id=3467&action=edit PoC - triggers infinite loop in match_pattern() I have just uncovered a problem that seems to occur in match_pattern(), a malcrafted input can send the function into an infinite loop. NOTE: As match_pattern() is invoked from auth.c [allowed_user() -> ga_match() -> match_pattern() ] for authentication checks, there could be a security impact under a some contexts, this needs to be investigated. Just in case, I am opening the issue as private. This affects both, the server (sshd) and the client (ssh - if you load a config file). Impact - Availability of server/client application - There could be impact on confidentiality - call flow from from auth.c to ga_match() -> ga_match() -> match_pattern() has to be investigated. I am attaching a test scenario in which client/server get stock in match_pattern() loop when attempting to load a malcrafted config file. Filename: "infinite-loop.conf" Quick Testing: SERVER /usr/sbin/sshd -f infinite-loop.conf CLIENT ssh -F infinite-loop.conf localhost -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Jan-24 23:41 UTC
[Bug 3255] Problem in Pattern matching
https://bugzilla.mindrot.org/show_bug.cgi?id=3255 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #1 from Damien Miller <djm at mindrot.org> --- This was mitigated last year in commit 05bcd0cadf160fd4 and should be in the next release. It is still possible to make matching misbehave using combinations of '*' and '?'. How do you figure this has a confidentiality impact? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.