From owner-freebsd-bugs Tue Mar 13 17:20: 7 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 98CCD37B718 for ; Tue, 13 Mar 2001 17:20:02 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f2E1K2r20216; Tue, 13 Mar 2001 17:20:02 -0800 (PST) (envelope-from gnats) Date: Tue, 13 Mar 2001 17:20:02 -0800 (PST) Message-Id: <200103140120.f2E1K2r20216@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: Dima Dorfman Subject: Re: bin/25778: sshd core after login attempt for non-existant user Reply-To: Dima Dorfman Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following reply was made to PR bin/25778; it has been noted by GNATS. From: Dima Dorfman To: rsimmons@duckman.wlcg.com Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: bin/25778: sshd core after login attempt for non-existant user Date: Tue, 13 Mar 2001 17:11:39 -0800 Rob Simmons writes: > > >Number: 25778 > >Category: bin > >Synopsis: sshd core after login attempt for non-existant user > >Description: > When someone tries to login with a username that does not exist, > sshd dumps core. Here is the gdb output from the core file, > followed by the ident info from the sshd binary: Try the patch below. It looks like a FreeBSD-specific problem. Well, at least I tried OpenSSH 2.5 (I know that's not what we use) and it didn't have this bug. I don't think this can be classified as a security bug. The sshd that cores is one that was already spawned for that connection; the main one stays alive. Also, the crash is from dereferencing a bad pointer, and the malicious user can't control it. All that said, I'm not a security expert, so take that for what it is: a hypothesis. Thanks Dima Dorfman dima@unixfreak.org Index: auth2.c =================================================================== RCS file: /st/src/FreeBSD/src/crypto/openssh/auth2.c,v retrieving revision 1.9 diff -u -r1.9 auth2.c --- auth2.c 2001/03/04 02:22:03 1.9 +++ auth2.c 2001/03/14 01:08:44 @@ -201,6 +201,7 @@ debug("userauth-request for user %s service %s method %s", user, service, method); debug("attempt #%d", authctxt->attempt); + authctxt->pw = 0; if (authctxt->attempt == 1) { /* setup auth context */ struct passwd *pw = NULL; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message