I installed all as outlined in the bug and first was able to verify that
the fix in proposed fixes the make_scrambled_password issue.
Lacking an ehcp setup I created a trvial DB for auth like this:
/etc/pam.d/vsftpd (please don't mind the nons ecure setup on my test env):
auth required pam_mysql.so user=root passwd="" host=localhost db=test
table=ftpaccounts usercolumn=ftpusername passwdcolumn=password crypt=2
account required pam_mysql.so user=root passwd="" host=localhost db=test
table=ftpaccounts usercolumn=ftpusername passwdcolumn=password crypt=2
SQL via mysql:
create database test;
use test;
create table ftpaccounts (
-> user_id int(6) not null auto_increment,
-> password varchar(16) not null,
-> primary key (user_id),
-> key user_id (user_id) );
insert into ftpaccounts(ftpusername, password) values ('ubuntu',
encrypt('ubuntu'));
First I was trying a wrong PW, to see what happens then:
Mar 20 14:08:59 xenial-test vsftpd[6447]: pam_mysql - MySQL error (Access
denied for user 'ubuntu'@'localhost' (using password: YES))
But then with that in place use ftp to connect.
$ ftp 10.0.4.174
Connected to 10.0.4.174.
220 Welcome to vsFTPd Server
Name (10.0.4.174:paelzer): ubuntu
331 Please specify the password.
Password:
*** stack smashing detected ***: /usr/sbin/vsftpd terminated
Login failed.
Now this is reported on the client, but the main vsftp process is just fine.
Maybe it spawns a process on each login.
No report on the vsftpd host in journal at all.
I "normalized" myself step by step.
First I replaced the custom vsftpd.conf in the description with the default one
from the package.
=> Same issue.
Resetting the /etc/pam.d/vsftpd made it working - at least that.
I also made a try keeping the content of the default pam, but then added
the pam_mysql lines at the end.
Eventually I found that of the two lines the "auth" one is the killing one.
Is working ok:
account required pam_mysql.so user=root passwd="" host=localhost db=test
table=ftpaccounts usercolumn=ftpusername passwdcolumn=password crypt=2
Triggers the bug:
auth required pam_mysql.so user=root passwd="" host=localhost db=test
table=ftpaccounts usercolumn=ftpusername passwdcolumn=password crypt=2
Then I was installing vsftpd-dbg and attached gdb to it.
As I expected it to fork its childs per connection I set
(gdb) set follow-fork-mode child
It seems it spawns two childs, and the second one is the one dying badly (not
the first).
Ok, then we try:
(gdb) set detach-on-fork off
With that on it is a bit of juggling processes but I finally reached this:
That still looks like a breakage in /lib/security/pam_mysql.so more than
anything else.
Add "libpam-mysql-dbgsym" on top and look again:
#0 0x00007f31168d5428 in __GI_raise (sig=sig@entry=6) at
../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007f31168d702a in __GI_abort () at abort.c:89
#2 0x00007f31169177ea in __libc_message (do_abort=do_abort@entry=1, Reading
symbols from /usr/lib/debug/lib/x86_64-linux-gnu/libcrypt-2.23.so...done.
Reading symbols from
/usr/lib/debug/.build-id/4d/7f52f335dc9665c2dcf308ce6514a6ae86dede.debug...done.
Reading symbols from /usr/lib/debug/lib/x86_64-linux-gnu/librt-2.23.so...done.
Reading symbols from /usr/lib/debug/lib/security/pam_mysql.so...done.
Reading symbols from /usr/lib/debug/lib/x86_64-linux-gnu/libm-2.23.so...done.
Reading symbols from
/usr/lib/debug/lib/x86_64-linux-gnu/libnss_compat-2.23.so...done.
Reading symbols from
/usr/lib/debug/lib/x86_64-linux-gnu/libnss_nis-2.23.so...done.
Reading symbols from
/usr/lib/debug/lib/x86_64-linux-gnu/libnss_files-2.23.so...done.
fmt=fmt@entry=0x7f3116a2e8a2 "*** %s ***: %s terminated\n") at
../sysdeps/posix/libc_fatal.c:175
#3 0x00007f31169b856c in __GI___fortify_fail (msg=<optimized out>,
msg@entry=0x7f3116a2e884 "stack smashing detected")
at fortify_fail.c:37
#4 0x00007f31169b8510 in __stack_chk_fail () at stack_chk_fail.c:28
#5 0x00007f311473cea1 in pam_mysql_check_passwd (ctx=0x55cbdb28a600,
user=<optimized out>, passwd=<optimized out>,
null_inhibited=null_inhibited@entry=1) at pam_mysql.c:2729
#6 0x00007f311473d22b in pam_sm_authenticate (pamh=0x55cbdb2685d0, flags=0,
argc=<optimized out>, argv=0x55cbdb271260)
at pam_mysql.c:3381
#7 0x00007f311751eea6 in ?? () from /lib/x86_64-linux-gnu/libpam.so.0
#8 0x00007f311751e61d in pam_authenticate () from
/lib/x86_64-linux-gnu/libpam.so.0
#9 0x000055cbda07558c in vsf_sysdep_check_auth
(p_user_str=p_user_str@entry=0x7ffe7a4f86c8,
p_pass_str=p_pass_str@entry=0x7ffe7a4f8610,
p_remote_host=p_remote_host@entry=0x7ffe7a4f8790) at sysdeputil.c:387
#10 0x000055cbda06d366 in handle_local_login (p_pass_str=0x7ffe7a4f8610,
p_user_str=0x7ffe7a4f86c8, p_sess=0x7ffe7a4f8670)
at privops.c:387
#11 handle_login (p_pass_str=0x7ffe7a4f8610, p_user_str=0x7ffe7a4f86c8,
p_sess=0x7ffe7a4f8670) at privops.c:338
#12 vsf_privop_do_login (p_sess=p_sess@entry=0x7ffe7a4f8670,
p_pass_str=p_pass_str@entry=0x7ffe7a4f8610) at privops.c:257
#13 0x000055cbda06c733 in process_login_req (p_sess=0x7ffe7a4f8670) at
twoprocess.c:318
#14 vsf_two_process_start (p_sess=0x7ffe7a4f8670) at twoprocess.c:112
#15 0x000055cbda061678 in main (argc=<optimized out>, argv=<optimized out>) at
main.c:252
So it seems the function pam_mysql_check_passwd is the stack smashing one.
vsftp in that case is only a trigger.
I wanted to compare that to the newer 0.8 version, but the changes are
so vast that one can hardly see individual changes.
With a file like that and sull sources for zesty I could selectively install
the 0.8 version
cat /etc/apt/preferences
Package: libpam-mysql
Pin: release n=zesty
Pin-Priority: 990
Package: *
Pin: release n=xenial
Pin-Priority: 900
Package: *
Pin: release o=Ubuntu
Pin-Priority: -10
With the 0.8 in place it does no more break with stack smashing (but instead
tells me my login is incorrect - which I think is wrong, but I already have a
severely modified setup, so might be unimportant).
TL;DR:
- repro as above
- bug in libpam_mysql
- stack smashing function pam_mysql_check_passwd
** Changed in: vsftpd (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1574911
Title:
vsftpd 500 oops stack smashing detected - Ubuntu 16.04
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/vsftpd/+bug/1574911/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
