On Wed, 9 Jul 2008, Dag-Erling Smørgrav wrote:

> Damien Miller writes:
> > I'd say the reporter disabled privsep and rigged a PAM module to display
> > a custom message (if they worked up to an exploit at all).
> >
> > The vulnerability criteria seem to be:
> >
> > 1. protocol 1 enabled
> > 2. privsep disabled
> > 3. successful authentication
> > 4. PAM accounting module in stack that returns attacker-supplied data

> That's pretty much what I concluded as well. He found something that
> looked like a classic bug (printf() with no format string) and set up a
> highly contrived scenario in which the bug is exploitable.
> Anyway, the fix is trivial - add "%s" to the packet_disconnect() call in
> do_authloop().

Yes, I have already committed such a fix and have added -Wformat-security
to the default gcc 3.x and 4.x CFLAGS which would have caught this screwup.

I'm not going to rush out a release unless someone can point out a
commonly used PAM module that sends exploitable messages.


openssh-unix-dev mailing list