#302: libssh2_session_handshake bug?
--------------------+--------------------
Reporter: 5m0k3 | Owner:
Type: defect | Status: new
Priority: normal | Milestone: 1.5.0
Component: crypto | Version: 1.5.0
Keywords: | Blocked By:
Blocks: |
--------------------+--------------------
Hello, I was working on a password auditing tool using libssh2 and
encountered the following issue when using with pthread.
GDB output:
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `./dm domains.txt user pass 500'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007ff0eaa3bbdc in ?? () from /lib/x86_64-linux-
gnu/libcrypto.so.1.0.0
(gdb) bt
#0 0x00007ff0eaa3bbdc in ?? () from /lib/x86_64-linux-
gnu/libcrypto.so.1.0.0
#1 0xca62c1d6ca62c1d6 in ?? ()
#2 0xca62c1d6ca62c1d6 in ?? ()
#3 0xca62c1d6ca62c1d6 in ?? ()
#4 0xca62c1d6ca62c1d6 in ?? ()
#5 0xca62c1d6ca62c1d6 in ?? ()
#6 0xca62c1d6ca62c1d6 in ?? ()
#7 0xca62c1d6ca62c1d6 in ?? ()
#8 0xca62c1d6ca62c1d6 in ?? ()
#9 0x00007ff0eada8810 in ?? () from /lib/x86_64-linux-
gnu/libcrypto.so.1.0.0
#10 0x00007feeb000e400 in ?? ()
#11 0x000000000000000f in ?? ()
#12 0x00007ff0eaa3811f in SHA1_Update () from /lib/x86_64-linux-
gnu/libcrypto.so.1.0.0
#13 0x00007ff0eaab76ef in ?? () from /lib/x86_64-linux-
gnu/libcrypto.so.1.0.0
#14 0x00007ff0eaa6d72c in ?? () from /lib/x86_64-linux-
gnu/libcrypto.so.1.0.0
#15 0x00007ff0eb399f8a in diffie_hellman_sha1 () from
/usr/lib/libssh2.so.1
#16 0x00007ff0eb39c197 in
kex_method_diffie_hellman_group14_sha1_key_exchange () from
/usr/lib/libssh2.so.1
#17 0x00007ff0eb39e1ad in _libssh2_kex_exchange () from
/usr/lib/libssh2.so.1
#18 0x00007ff0eb3a6c6e in session_startup () from /usr/lib/libssh2.so.1
#19 0x00007ff0eb3a6efd in libssh2_session_handshake () from
/usr/lib/libssh2.so.1
#20 0x0000000000402023 in verhost (hostname=0x25f1700 "be-still.info",
username=0x2560400 "be-still", password=0x25c1590 "be-still") at dm.c:248
#21 0x00000000004021e2 in worker_thread (worker=0x1f2) at dm.c:287
#22 0x00007ff0eb179182 in start_thread (arg=0x7fefb2fc1700) at
pthread_create.c:312
#23 0x00007ff0eaea647d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:111
(gdb) frame 20
#20 0x0000000000402023 in verhost (hostname=0x25f1700 "be-still.info",
username=0x2560400 "be-still", password=0x25c1590 "be-still") at dm.c:248
248 rc = libssh2_session_handshake(session, sockfd);
(gdb)
Here is the code for function causing problems:
static int verhost(char *hostname, char *username, char *password) {
if(hostname == NULL) return -1;
if(username == NULL) return -1;
int sockfd, rc;
long arg;
struct addrinfo hints, *res;
int errcode;
memset (&hints, 0, sizeof (hints));
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
hints.ai_flags |= AI_CANONNAME;
errcode = getaddrinfo (hostname, "22", &hints, &res);
if (errcode != 0) return -1;
sockfd = socket(AF_INET, SOCK_STREAM, 0);
arg = fcntl(sockfd, F_GETFL, NULL);
arg |= O_NONBLOCK;
fcntl(sockfd, F_SETFL, arg);
if (sockfd < 0) goto shutend;
if (connect(sockfd, res->ai_addr, res->ai_addrlen) < 0) {
if (errno == EINPROGRESS) {
fd_set write_fds;
memset(&write_fds, 0, sizeof(write_fds));
FD_ZERO(&write_fds);
FD_SET(sockfd, &write_fds);
struct timeval tv;
int valopt;
tv.tv_sec = 5;
tv.tv_usec = 0;
if (select(sockfd+1, NULL, &write_fds, NULL, &tv)
> 0) {
socklen_t lon;
lon = sizeof(int);
getsockopt(sockfd, SOL_SOCKET, SO_ERROR,
(void*)(&valopt), &lon);
if (valopt) goto shutend;
}
else goto shutend;
}
else goto shutend;
}
LIBSSH2_SESSION *session = libssh2_session_init();
if(!session) goto shutend;
libssh2_session_set_timeout(session, 10000);
if(libssh2_session_get_timeout(session) > 10000) goto shutnow;
rc = libssh2_session_handshake(session, sockfd);
if (rc) goto shutnow;
rc = libssh2_userauth_password(session, username, password);
if (rc) printf("[!] Weak Login: %s - %s/%s\n", hostname, username,
password);
else libssh2_session_disconnect(session, "Normal Shutdown");
shutnow:
libssh2_session_free(session);
shutend:
close(sockfd);
freeaddrinfo(res);
return -1;
}
Let me know if you need anything else or if I am using libssh2 in a wrong
manner. Thanks.
--
Ticket URL: <https://trac.libssh2.org/ticket/302>
libssh2 <https://trac.libssh2.org/>
C library for writing portable SSH2 clients
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
