Re: Possible failure to scrub data in file 'openbsd-compat/bsd-cray.c' in OpenSSH-7.1p1

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 
This is for UNICOS Cray. And currently I know that the OS and hardware have been officially retired. I have a question into one of my contacts at Cray to see if they know of any customers still running this old hardware, and if not then I'd suggest we strip the UNICOS port out as dead wood. 

- Ben

Bill Parker wrote:

Hello All,

In reviewing some code in file 'bsd-cray.c', I found a possible
issue where data in the following code may not be properly scrubbed
in the case IA_BACKDOOR in function 'cray_setup', which is below:

         case IA_BACKDOOR:
                 /* XXX: can we memset it to zero here so save some of this
*/
                 strlcpy(ue.ue_name, "root", sizeof(ue.ue_name));
                 strlcpy(ue.ue_dir, "/", sizeof(ue.ue_dir));
                 strlcpy(ue.ue_shell, "/bin/sh", sizeof(ue.ue_shell));

                 ue.ue_passwd[0] = '\0';
                 ue.ue_age[0] = '\0';
                 ue.ue_comment[0] = '\0';
                 ue.ue_loghost[0] = '\0';
                 ue.ue_logline[0] = '\0';

                 ue.ue_uid = -1;
                 ue.ue_nice[UDBRC_INTER] = 0;

where ue.ue_passwd[0] is set to NUL, there exists the potential that
any data beyond ue.ue_passwd[0] is still accessible in memory as the
following test program below demonstrates:

#include<stdio.h>

int main(void)
{
     unsigned int n, l;
     char ue[50] = "ABCDEFGHIJKLMNPOQRSTUVWXYZ0123456789";

     ue[0] = '\0';   /* set this to NULL */

     printf("Contents of char ue[0] is: %s\n", ue);

     printf("Contents of char ue[1-36] is:");

     for (n = 1; n<  36; n++)
         printf("%c", ue[n]);
     printf("\n");

     return 0;
}

[bill@moocow ~]$ ./a.out
Contents of char ue[0] is:
Contents of char ue[1-36] is:BCDEFGHIJKLMNPOQRSTUVWXYZ0123456789

As you can see, data beyond ue[0] is still accessible, should the
code not be changed to use memset() to scrub any sensitive information
still stored in various arrays in IA_BACKDOOR (and perhaps other
areas of code in bsd-cray.c, etc)?

Bill Parker (wp02855 at gmail dot com)
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux