Re: Fwd: [oss-security] *Possible* ssh vulnerability

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Damien Miller <djm@xxxxxxxxxxx> writes:
> The memory dump seems in indicate a post-auth process (and possibly
> sftp-server/internal-sftp), so it's surprising it could see the
> password hash to begin with and it would be highly unlikely to see
> anything else that is sensitive.

(caveat: my recollection of the privsep model is slightly hazy; is there
a whitepaper somewhere?)

The unprivileged parent can contain a copy of /etc/shadow from calling
getpwnam() at some point before do_setusercontext().  This hypothesis is
strengthened by the fact that the passwd line in the dump looks like it
has been parsed for use in a struct passwd: the text fields are
terminated by NULs instead of colons, but the numeric fields aren't
because strtoul() doesn't require it.  This passwd line seems to have
overwritten a previous, longer passwd line for a user whose home
directory (and presumably login) ends with "oe" and who uses zsh instead
of bash.

However, that process's /proc/*/mem is only readable by root since it
started out with root credentials.

The most intriguing thing about this dump is that it seems to contain a
hex dump of a syslog message from Linux-PAM's pam_unix (starting at
002516d0).  I wouldn't be surprised to see the message itself, since
this is the same process that called pam_open_session(), but I really
wouldn't expect a hex dump of that message.

On the whole, I agree that it is most likely a hoax.

DES
-- 
Dag-Erling Smørgrav - des@xxxxxx
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev





[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux