openssh unix dev - Jan 2016 - Possible failure to scrub data in file 'openbsd-compat/bsd-cray.c' in OpenSSH-7.1p1

Hello All,

In reviewing some code in file 'bsd-cray.c', I found a possible
issue where data in the following code may not be properly scrubbed
in the case IA_BACKDOOR in function 'cray_setup', which is below:

        case IA_BACKDOOR:
                /* XXX: can we memset it to zero here so save some of this
*/
                strlcpy(ue.ue_name, "root", sizeof(ue.ue_name));
                strlcpy(ue.ue_dir, "/", sizeof(ue.ue_dir));
                strlcpy(ue.ue_shell, "/bin/sh", sizeof(ue.ue_shell));

                ue.ue_passwd[0] = '\0';
                ue.ue_age[0] = '\0';
                ue.ue_comment[0] = '\0';
                ue.ue_loghost[0] = '\0';
                ue.ue_logline[0] = '\0';

                ue.ue_uid = -1;
                ue.ue_nice[UDBRC_INTER] = 0;

where ue.ue_passwd[0] is set to NUL, there exists the potential that
any data beyond ue.ue_passwd[0] is still accessible in memory as the
following test program below demonstrates:

#include <stdio.h>

int main(void)
{
    unsigned int n, l;
    char ue[50] = "ABCDEFGHIJKLMNPOQRSTUVWXYZ0123456789";

    ue[0] = '\0';   /* set this to NULL */

    printf("Contents of char ue[0] is: %s\n", ue);

    printf("Contents of char ue[1-36] is:");

    for (n = 1; n < 36; n++)
        printf("%c", ue[n]);
    printf("\n");

    return 0;
}

[bill at moocow ~]$ ./a.out
Contents of char ue[0] is:
Contents of char ue[1-36] is:BCDEFGHIJKLMNPOQRSTUVWXYZ0123456789

As you can see, data beyond ue[0] is still accessible, should the
code not be changed to use memset() to scrub any sensitive information
still stored in various arrays in IA_BACKDOOR (and perhaps other
areas of code in bsd-cray.c, etc)?

Bill Parker (wp02855 at gmail dot com)

This is for UNICOS Cray.  And currently I know that the OS and hardware 
have been officially retired.  I have a question into one of my contacts 
at Cray to see if they know of any customers still running this old 
hardware, and if not then I'd suggest we strip the UNICOS port out as 
dead wood.

- Ben

Bill Parker wrote:
> Hello All,
>
> In reviewing some code in file 'bsd-cray.c', I found a possible
> issue where data in the following code may not be properly scrubbed
> in the case IA_BACKDOOR in function 'cray_setup', which is below:
>
>          case IA_BACKDOOR:
>                  /* XXX: can we memset it to zero here so save some of this
> */
>                  strlcpy(ue.ue_name, "root", sizeof(ue.ue_name));
>                  strlcpy(ue.ue_dir, "/", sizeof(ue.ue_dir));
>                  strlcpy(ue.ue_shell, "/bin/sh",
sizeof(ue.ue_shell));
>
>                  ue.ue_passwd[0] = '\0';
>                  ue.ue_age[0] = '\0';
>                  ue.ue_comment[0] = '\0';
>                  ue.ue_loghost[0] = '\0';
>                  ue.ue_logline[0] = '\0';
>
>                  ue.ue_uid = -1;
>                  ue.ue_nice[UDBRC_INTER] = 0;
>
> where ue.ue_passwd[0] is set to NUL, there exists the potential that
> any data beyond ue.ue_passwd[0] is still accessible in memory as the
> following test program below demonstrates:
>
> #include<stdio.h>
>
> int main(void)
> {
>      unsigned int n, l;
>      char ue[50] = "ABCDEFGHIJKLMNPOQRSTUVWXYZ0123456789";
>
>      ue[0] = '\0';   /* set this to NULL */
>
>      printf("Contents of char ue[0] is: %s\n", ue);
>
>      printf("Contents of char ue[1-36] is:");
>
>      for (n = 1; n<  36; n++)
>          printf("%c", ue[n]);
>      printf("\n");
>
>      return 0;
> }
>
> [bill at moocow ~]$ ./a.out
> Contents of char ue[0] is:
> Contents of char ue[1-36] is:BCDEFGHIJKLMNPOQRSTUVWXYZ0123456789
>
> As you can see, data beyond ue[0] is still accessible, should the
> code not be changed to use memset() to scrub any sensitive information
> still stored in various arrays in IA_BACKDOOR (and perhaps other
> areas of code in bsd-cray.c, etc)?
>
> Bill Parker (wp02855 at gmail dot com)
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Thu, Jan 14, 2016 at 09:20:47AM -0600, Ben Lindstrom
wrote:
>This is for UNICOS Cray.  And currently I know that the OS and 
>hardware have been officially retired.  I have a question into one of 
>my contacts at Cray to see if they know of any customers still running 
>this old hardware, and if not then I'd suggest we strip the UNICOS 
>port out as dead wood.
+1. There were a lot of oddities about programming on those machines and
if nobody's been actively testing there's a good chance that it's
not
working right anyway.

Mike Stone