Aaron Hopkins
2000-Jul-07 22:05 UTC
Potentially insecure format string handling in PAM support
-----BEGIN PGP SIGNED MESSAGE-----
With the recent remote root Wu-ftpd exploit based upon incorrect format
string handling (processing user-supplied data as format strings), I've
taken to scanning any code with elevated permissions for similar problems.
I found one in the portable version of OpenSSH. Its only outputting
messages passed back by PAM, I think, so I don't think its exploitable. But
the format string processing isn't needed here, so it should be painless to
remove.
Here's the patch.
-- Aaron
- --- auth-pam.c~ Thu Jun 22 04:44:54 2000
+++ auth-pam.c Fri Jul 7 14:57:16 2000
@@ -277,7 +277,7 @@
void print_pam_messages(void)
{
if (pam_msg != NULL)
- - fprintf(stderr, pam_msg);
+ fputs(pam_msg, stderr);
}
/* Append a message to the PAM message buffer */
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iQCVAwUBOWZUP0fJWHAEvsjBAQErLQQAq9VEEOS5sjBKC07XT7zy9J2Gm+ebgSJ1
RvHBHGY6O9hoKUUHg1lVQzUwIj2n/5XB4acKj+M7GsSE4Csx0efqV5RpespZKyld
0pn24jWJc7ud0iqBkg2U82mXQGhcrkBWZ665rpysw0TDbeNmF1eXMkkoFvuaN6Pr
CeSJuksVjnI=SXbz
-----END PGP SIGNATURE-----
Damien Miller
2000-Jul-08 00:14 UTC
Potentially insecure format string handling in PAM support
On Fri, 7 Jul 2000, Aaron Hopkins wrote:> -----BEGIN PGP SIGNED MESSAGE----- > > With the recent remote root Wu-ftpd exploit based upon incorrect > format string handling (processing user-supplied data as format > strings), I've taken to scanning any code with elevated permissions > for similar problems. > > I found one in the portable version of OpenSSH. Its only outputting > messages passed back by PAM, I think, so I don't think its > exploitable. But the format string processing isn't needed here, so > it should be painless to remove.Thanks - applied. --d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)