Package: libpam-ssh
Version: 1.91.0-5
Severity: critical
A long time ago (circa 1998 or so) I looked at pam-ssh project and
noticied several problems with it. And since it's now in Debian,
the same problems applies to Debian too.
Here's one.
in pam_sm_authenticate() routine, pam_ssh saves struct passwd as
a pam variable, this way (error checking removed for simplicitly):
pwent = getpwnam(user);
...
/* copy the passwd entry (in case successive calls are made) and
save it for the session phase */
pwent_keep = malloc(sizeof *pwent);
memcpy(pwent_keep, pwent, sizeof *pwent_keep);
pam_set_data(pamh, "ssh_passwd_entry", pwent_keep, ssh_cleanup);
and later, in pam_sm_open_session(), it reuses the entry to create
~/.ssh/... files and to set user IDs:
pam_get_data(pamh, "ssh_passwd_entry", (const void **)(void *)&pwent);
openpam_borrow_cred(pamh, pwent);
asprintf(&per_agent, "%s/.ssh/agent-%s", pwent->pw_dir, hname);
env_write = open(per_agent, O_CREAT | O_EXCL | O_WRONLY, S_IRUSR);
...
struct passwd contains pointers to strings (pw_dir, pw_name etc).
So, any call to getpwent() and other getpw*() routines in between
pam_sm_authenticate() and pam_sm_open_session() of this module
poses a high risk of the strings to be overwritten (or even the
whole internal pwent buffer re-allocated), so the module will
create files in a wrong place using wrong userid.
Luckly, most (depending on the other modules in the PAM stack) getpw*
calls will be the same as this module does, and hence the problem
will not occur.
I pointed this problem out to the author the same time I looked at
the module, but instead of an ACK he replied with something like
"If you don't like my program write your own". Later on, he changed
logic a bit -- previously he where saving the pwent pointer, now
he saves the whole structure (as pwent_keep), but the same problem
is still here.
There where other issues with this package at that time, but
by now I forgot which ones.
-- System Information
Debian Release: 3.0
Kernel Version: Linux paltus.tls.msk.ru 2.6.11-k7-0 #1 Wed Mar 2 20:04:17 MSK
2005 i686 GNU/Linux
Versions of the packages libpam-ssh depends on:
+++-==============-==============-============================================
ii libc6 2.3.2.ds1-16 GNU C Library: Shared libraries and Timezone
ii libpam0g 0.76-22 Pluggable Authentication Modules library
ii libssl0.9.7 0.9.7e-3 SSL shared libraries
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
