Aaron Hopkins
2000-Jul-07 22:05 UTC
Potentially insecure format string handling in PAM support
-----BEGIN PGP SIGNED MESSAGE----- With the recent remote root Wu-ftpd exploit based upon incorrect format string handling (processing user-supplied data as format strings), I've taken to scanning any code with elevated permissions for similar problems. I found one in the portable version of OpenSSH. Its only outputting messages passed back by PAM, I think, so I don't think its exploitable. But the format string processing isn't needed here, so it should be painless to remove. Here's the patch. -- Aaron - --- auth-pam.c~ Thu Jun 22 04:44:54 2000 +++ auth-pam.c Fri Jul 7 14:57:16 2000 @@ -277,7 +277,7 @@ void print_pam_messages(void) { if (pam_msg != NULL) - - fprintf(stderr, pam_msg); + fputs(pam_msg, stderr); } /* Append a message to the PAM message buffer */ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iQCVAwUBOWZUP0fJWHAEvsjBAQErLQQAq9VEEOS5sjBKC07XT7zy9J2Gm+ebgSJ1 RvHBHGY6O9hoKUUHg1lVQzUwIj2n/5XB4acKj+M7GsSE4Csx0efqV5RpespZKyld 0pn24jWJc7ud0iqBkg2U82mXQGhcrkBWZ665rpysw0TDbeNmF1eXMkkoFvuaN6Pr CeSJuksVjnI=SXbz -----END PGP SIGNATURE-----
Damien Miller
2000-Jul-08 00:14 UTC
Potentially insecure format string handling in PAM support
On Fri, 7 Jul 2000, Aaron Hopkins wrote:> -----BEGIN PGP SIGNED MESSAGE----- > > With the recent remote root Wu-ftpd exploit based upon incorrect > format string handling (processing user-supplied data as format > strings), I've taken to scanning any code with elevated permissions > for similar problems. > > I found one in the portable version of OpenSSH. Its only outputting > messages passed back by PAM, I think, so I don't think its > exploitable. But the format string processing isn't needed here, so > it should be painless to remove.Thanks - applied. --d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)