bugzilla-daemon at mindrot.org
2004-Jan-13 10:55 UTC
[Bug 787] Minor security problem due to use of deprecated NGROUPS_MAX in uidswap.c (sshd)
http://bugzilla.mindrot.org/show_bug.cgi?id=787
Summary: Minor security problem due to use of deprecated
NGROUPS_MAX in uidswap.c (sshd)
Product: Portable OpenSSH
Version: 3.7.1p2
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: holger at van-lengerich.de
I am able to produce the following behaviour by sshd on Solaris 2.8 and Linux
2.4.23, when NGROUPS_MAX at runtime is larger than at compile-time:
On both systems "fatal: getgroups: Invalid argument" gets logged via
syslog
and the sshd is terminating before any authentication is attempted. I located
the problem in uidswap.c, where deprecated NGROUPS_MAX is used.
NGOUPS_MAX is defined in limits.h and tells the maximum number
of groups which an account can be member of. As NGROUPS_MAX is determined at
compile-time, this limit gets hardcoded into the resulting binary. As
NGROUPS_MAX may be larger at runtime than at compile-time it should be
regarded as deprecated and sysconf(_SC_NGROUPS_MAX) should be used instead.
(see APUE 2.4.5 also)
In uidswap.c, line 41 NGROUPS_MAX is used to initialize static arrays in
global context. These 2 occurances of NGROUPS_MAX cannot be substituted
through sysconf(_SC_NGROUPS_MAX) easily as memory has to be allocated at
runtime.
In the same file NGROUPS_MAX is referenced in line 72 an 81. These occurances
can be replaced easily, once memory for the arrays is allocated according to
sysconf(_SC_NGROUPS_MAX).
This bug also constitutes a minor security problem as it may be exploited to
remotely enumerate accounts, which are member of more then NGROUPS_MAX at
compile-time.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Feb-06 08:44 UTC
[Bug 787] Minor security problem due to use of deprecated NGROUPS_MAX in uidswap.c (sshd)
http://bugzilla.mindrot.org/show_bug.cgi?id=787
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
OtherBugsDependingO| |793
nThis| |
Status|NEW |ASSIGNED
------- Additional Comments From dtucker at zip.com.au 2004-02-06 19:44 -------
I will look at this.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Feb-06 09:44 UTC
[Bug 787] Minor security problem due to use of deprecated NGROUPS_MAX in uidswap.c (sshd)
http://bugzilla.mindrot.org/show_bug.cgi?id=787 ------- Additional Comments From dtucker at zip.com.au 2004-02-06 20:44 ------- Created an attachment (id=539) --> (http://bugzilla.mindrot.org/attachment.cgi?id=539&action=view) Use sysconf where available for NGROUPS_MAX. Please try this patch. Note: treat with *extreme* suspicion: it contains some pointer-fu and compiled first try without warnings, so Murphy can't be far away... ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Feb-06 12:28 UTC
[Bug 787] Minor security problem due to use of deprecated NGROUPS_MAX in uidswap.c (sshd)
http://bugzilla.mindrot.org/show_bug.cgi?id=787 ------- Additional Comments From djm at mindrot.org 2004-02-06 23:28 ------- (From update of attachment 539)>Index: defines.h >==================================================================>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/defines.h,v >retrieving revision 1.109 >diff -u -p -r1.109 defines.h >--- defines.h 27 Jan 2004 05:40:35 -0000 1.109 >+++ defines.h 6 Feb 2004 09:27:45 -0000 >@@ -541,6 +541,10 @@ struct winsize { > # define SSH_SYSFDMAX 10000 > #endif > >+#ifdef HAVE_SYSCONF >+# undef NGROUPS_MAX >+# define NGROUPS_MAX (sysconf(_SC_NGROUPS_MAX))I think that should be: #if defined(HAVE_SYSCONF) && defined(_SC_NGROUPS_MAX) We also need to check for sysconf returning -1 I'm wary of this change for 3.8. Perhaps a static check for gid >= NGROUPS_MAX? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.