From rsimmons@duckman.wlcg.com  Tue Mar 13 10:34:44 2001
Return-Path: <rsimmons@duckman.wlcg.com>
Received: from duckman.wlcg.com (duckman.wlcg.com [209.9.101.22])
	by hub.freebsd.org (Postfix) with ESMTP id B051937B719
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 13 Mar 2001 10:34:42 -0800 (PST)
	(envelope-from rsimmons@duckman.wlcg.com)
Received: (from root@localhost)
	by duckman.wlcg.com (8.11.2/8.11.2) id f2DIRJ271873;
	Tue, 13 Mar 2001 13:27:19 -0500 (EST)
	(envelope-from rsimmons)
Message-Id: <200103131827.f2DIRJ271873@duckman.wlcg.com>
Date: Tue, 13 Mar 2001 13:27:19 -0500 (EST)
From: Rob Simmons <rsimmons@duckman.wlcg.com>
Reply-To: rsimmons@duckman.wlcg.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: sshd core after login attempt for non-existant user
X-Send-Pr-Version: 3.2

>Number:         25778
>Category:       bin
>Synopsis:       sshd core after login attempt for non-existant user
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Mar 13 10:40:01 PST 2001
>Closed-Date:    Thu Mar 15 16:08:43 PST 2001
>Last-Modified:  Thu Mar 15 16:09:23 PST 2001
>Originator:     Rob Simmons
>Release:        FreeBSD 4.2-STABLE i386
>Organization:
Westlake
>Environment:
FreeBSD duckman 4.2-STABLE FreeBSD 4.2-STABLE #1: Fri Feb 16 11:57:35 EST 2001     acundari@duckman:/usr/obj/usr/src/sys/DUCKMAN  i386
	

>Description:
When someone tries to login with a username that does not exist, sshd dumps core.  Here is the gdb output from the core file, followed by the ident info from the sshd binary:
su-2.04# gdb /usr/sbin/sshd sshd.core 
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
(no debugging symbols found)...
Core was generated by `sshd'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libopie.so.2...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libmd.so.2...(no debugging symbols found)...done.
Reading symbols from /usr/lib/libcrypt.so.2...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libcrypto.so.1...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libutil.so.3...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libz.so.2...(no debugging symbols found)...done.
Reading symbols from /usr/lib/libwrap.so.3...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libpam.so.1...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libc.so.4...(no debugging symbols found)...done.
Reading symbols from /usr/libexec/ld-elf.so.1...(no debugging symbols found)...
done.
#0  0x281681c8 in login_getpwclass () from /usr/lib/libutil.so.3
(gdb) quit
u-2.04# ident /usr/sbin/sshd
/usr/sbin/sshd:
     $OpenBSD: sshd.c,v 1.132 2000/10/13 18:34:46 markus Exp $
     $FreeBSD: src/crypto/openssh/sshd.c,v 1.6.2.6 2001/02/12 06:45:42 kris Exp $
     $OpenBSD: auth-rhosts.c,v 1.16 2000/10/03 18:03:03 markus Exp $
     $OpenBSD: auth-passwd.c,v 1.18 2000/10/03 18:03:03 markus Exp $
     $FreeBSD: src/crypto/openssh/auth-passwd.c,v 1.2.2.3 2001/01/12 04:25:55 green Exp $
     $OpenBSD: auth-rsa.c,v 1.32 2000/10/14 12:19:45 markus Exp $
     $FreeBSD: src/crypto/openssh/auth-rsa.c,v 1.2.2.3 2001/01/12 04:25:55 green Exp $
     $OpenBSD: auth-rh-rsa.c,v 1.17 2000/10/03 18:03:03 markus Exp $
     $FreeBSD: src/crypto/openssh/auth-rh-rsa.c,v 1.1.1.1.2.3 2001/01/12 04:25:55 green Exp $
     $OpenBSD: pty.c,v 1.16 2000/09/07 21:13:37 markus Exp $
     $FreeBSD: src/crypto/openssh/pty.c,v 1.2.2.2 2000/10/28 23:00:49 kris Exp $
     $OpenBSD: log-server.c,v 1.17 2000/09/12 20:53:10 markus Exp $
     $OpenBSD: login.c,v 1.15 2000/09/07 20:27:52 deraadt Exp $
     $FreeBSD: src/crypto/openssh/login.c,v 1.3.2.2 2000/10/28 23:00:48 kris Exp $
     $OpenBSD: servconf.c,v 1.53 2000/10/14 12:12:09 markus Exp $
     $FreeBSD: src/crypto/openssh/servconf.c,v 1.3.2.8 2001/01/27 07:48:28 green Exp $
     $OpenBSD: serverloop.c,v 1.34 2000/10/27 07:32:18 markus Exp $
     $OpenBSD: auth.c,v 1.11 2000/10/11 20:27:23 markus Exp $
     $FreeBSD: src/crypto/openssh/auth.c,v 1.3.2.3 2001/01/12 04:25:55 green Exp $
     $OpenBSD: auth1.c,v 1.6 2000/10/11 20:27:23 markus Exp $
     $FreeBSD: src/crypto/openssh/auth1.c,v 1.3.2.4 2001/01/12 04:25:55 green Exp $
     $OpenBSD: auth2.c,v 1.20 2000/10/14 12:16:56 markus Exp $
     $FreeBSD: src/crypto/openssh/auth2.c,v 1.2.2.4 2001/01/12 04:25:55 green Exp $
     $OpenBSD: auth-options.c,v 1.5 2000/10/09 21:32:34 markus Exp $
     $OpenBSD: session.c,v 1.42 2000/10/27 07:32:18 markus Exp $
     $FreeBSD: src/crypto/openssh/session.c,v 1.4.2.7 2001/02/04 20:21:06 green Exp $
     $OpenBSD: dh.c,v 1.2 2000/10/11 20:11:35 markus Exp $
     $FreeBSD: src/crypto/openssh/auth-pam.c,v 1.2.2.1 2001/01/12 04:25:54 green Exp $
     $FreeBSD: src/crypto/openssh/auth2-skey.c,v 1.2.2.1 2001/01/12 04:25:55 green Exp $
     $OpenBSD: auth2-skey.c,v 1.1 2000/10/11 20:14:38 markus Exp $
     $OpenBSD: auth-skey.c,v 1.9 2000/10/19 16:41:13 deraadt Exp $
     $FreeBSD: src/crypto/openssh/auth-skey.c,v 1.1.1.1.2.4 2001/01/12 04:25:55 green Exp $
     $OpenBSD: kex.c,v 1.12 2000/10/11 20:27:23 markus Exp $
     $OpenBSD: dispatch.c,v 1.5 2000/09/21 11:25:34 markus Exp $
     $OpenBSD: ttymodes.c,v 1.8 2000/09/07 20:27:55 deraadt Exp $
     $OpenBSD: tildexpand.c,v 1.8 2000/09/07 20:27:55 deraadt Exp $
     $OpenBSD: rsa.c,v 1.16 2000/09/07 20:27:53 deraadt Exp $
     $FreeBSD: src/crypto/openssh/rsa.c,v 1.1.1.1.2.6 2001/02/12 06:45:42 kris Exp $
     $OpenBSD: readpass.c,v 1.12 2000/10/11 20:14:39 markus Exp $
     $OpenBSD: mpaux.c,v 1.14 2000/09/07 20:27:52 deraadt Exp $
     $FreeBSD: src/crypto/openssh/mpaux.c,v 1.2.2.2 2000/10/28 23:00:48 kris Exp $
     $OpenBSD: hostfile.c,v 1.20 2000/09/07 20:27:51 deraadt Exp $
     $FreeBSD: src/crypto/openssh/hostfile.c,v 1.1.1.1.2.2 2000/10/28 23:00:48 kris Exp $
     $OpenBSD: authfile.c,v 1.20 2000/10/11 20:27:23 markus Exp $
     $FreeBSD: src/crypto/openssh/authfile.c,v 1.2.2.3 2001/01/12 04:25:55 green Exp $
     $OpenBSD: cli.c,v 1.2 2000/10/16 09:38:44 djm Exp $
     $OpenBSD: match.c,v 1.9 2000/09/07 20:27:52 deraadt Exp $
     $OpenBSD: dsa.c,v 1.11 2000/09/07 20:27:51 deraadt Exp $
     $OpenBSD: xmalloc.c,v 1.8 2000/09/07 20:27:55 deraadt Exp $
     $OpenBSD: packet.c,v 1.38 2000/10/12 14:21:12 markus Exp $
     $OpenBSD: hmac.c,v 1.4 2000/09/07 20:27:51 deraadt Exp $
     $OpenBSD: crc32.c,v 1.7 2000/09/07 20:27:51 deraadt Exp $
     $OpenBSD: compress.c,v 1.9 2000/09/07 20:27:50 deraadt Exp $
     $OpenBSD: cipher.c,v 1.37 2000/10/23 19:31:54 markus Exp $
     $FreeBSD: src/crypto/openssh/cipher.c,v 1.2.2.3 2001/01/12 04:25:56 green Exp $
     $OpenBSD: nchan.c,v 1.19 2000/09/07 20:27:52 deraadt Exp $
     $OpenBSD: channels.c,v 1.72 2000/10/27 07:48:22 markus Exp $
     $OpenBSD: canohost.c,v 1.16 2000/10/21 17:04:22 markus Exp $
     $FreeBSD: src/crypto/openssh/canohost.c,v 1.1.1.1.2.4 2001/01/12 04:25:56 green Exp $
     $OpenBSD: authfd.c,v 1.29 2000/10/09 21:51:00 markus Exp $
     $FreeBSD: src/crypto/openssh/authfd.c,v 1.2.2.4 2001/01/12 04:25:55 green Exp $
     $OpenBSD: util.c,v 1.6 2000/10/27 07:32:19 markus Exp $
     $OpenBSD: key.c,v 1.11 2000/09/07 20:27:51 deraadt Exp $
     $FreeBSD: src/crypto/openssh/key.c,v 1.4.2.2 2000/10/28 23:00:48 kris Exp $
     $OpenBSD: atomicio.c,v 1.7 2000/10/18 18:04:02 markus Exp $
     $OpenBSD: uidswap.c,v 1.9 2000/09/07 20:27:55 deraadt Exp $
     $FreeBSD: src/crypto/openssh/compat.c,v 1.1.1.1.2.3 2001/01/12 04:25:56 green Exp $
     $OpenBSD: compat.c,v 1.27 2000/10/31 09:31:58 markus Exp $
     $OpenBSD: bufaux.c,v 1.13 2000/09/07 20:27:50 deraadt Exp $
     $FreeBSD: src/crypto/openssh/bufaux.c,v 1.2.2.2 2000/10/28 23:00:47 kris Exp $
     $OpenBSD: uuencode.c,v 1.7 2000/09/07 20:27:55 deraadt Exp $
     $OpenBSD: buffer.c,v 1.8 2000/09/07 20:27:50 deraadt Exp $
     $OpenBSD: log.c,v 1.11 2000/09/30 16:27:43 markus Exp $


	

>How-To-Repeat:
Try to login via ssh to a machine that was cvsup'd around the same time as this machine (I don't think the problem has been corrected yet, since this happens on a machine that I rebuilt from cvs this past weekend as well as the machine listed above) with a user that does not exist on the machine.  sshd with dump core and its core will be in /

	

>Fix:
Dunno... sorry.

	

>Release-Note:
>Audit-Trail:

From: Dima Dorfman <dima@unixfreak.org>
To: rsimmons@duckman.wlcg.com
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/25778: sshd core after login attempt for non-existant user 
Date: Tue, 13 Mar 2001 17:11:39 -0800

 Rob Simmons <rsimmons@duckman.wlcg.com> writes:
 > 
 > >Number:         25778
 > >Category:       bin
 > >Synopsis:       sshd core after login attempt for non-existant user
 > >Description:
 > When someone tries to login with a username that does not exist,
 > sshd dumps core.  Here is the gdb output from the core file,
 > followed by the ident info from the sshd binary:
 
 Try the patch below.  It looks like a FreeBSD-specific problem.  Well,
 at least I tried OpenSSH 2.5 (I know that's not what we use) and it
 didn't have this bug.
 
 I don't think this can be classified as a security bug.  The sshd that
 cores is one that was already spawned for that connection; the main
 one stays alive.  Also, the crash is from dereferencing a bad pointer,
 and the malicious user can't control it.  All that said, I'm not a
 security expert, so take that for what it is: a hypothesis.
 
 Thanks
 
 					Dima Dorfman
 					dima@unixfreak.org
 
 
 Index: auth2.c
 ===================================================================
 RCS file: /st/src/FreeBSD/src/crypto/openssh/auth2.c,v
 retrieving revision 1.9
 diff -u -r1.9 auth2.c
 --- auth2.c	2001/03/04 02:22:03	1.9
 +++ auth2.c	2001/03/14 01:08:44
 @@ -201,6 +201,7 @@
  	debug("userauth-request for user %s service %s method %s", user, service, method);
  	debug("attempt #%d", authctxt->attempt);
  
 +	authctxt->pw = 0;
  	if (authctxt->attempt == 1) { 
  		/* setup auth context */
  		struct passwd *pw = NULL;
State-Changed-From-To: open->closed 
State-Changed-By: dd 
State-Changed-When: Thu Mar 15 16:08:43 PST 2001 
State-Changed-Why:  
Fixed by green in rev. 1.10 of src/crypto/openssh/auth2.c 

http://www.freebsd.org/cgi/query-pr.cgi?pr=25778 
>Unformatted:
