[Bug 1869512] [NEW] sudo crashed with SIGSEGV in BN_is_zero() when using ECDSA keys with libpam-ssh-agent-auth

Fri, 10 Apr 2020 09:50:26 -0700 

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug by Marc Deslauriers 
(mdeslaur):

sudoers and pam sudo file attached. Steps to reproduce follow.

All operating systems except ubuntu 19.10 and 20.04 seem to work. This
includes ubuntu 18.04, fedora 21, and centos 8. Copying pam-ssh-agent-
auth.so from 18.04 to 19.10 works.

$ sudo diff /etc/sudoers{.orig,}
8a9
> Defaults      env_keep+=SSH_AUTH_SOCK

$ sudo diff /etc/pam.d/sudo{.orig,}
2a3
> auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys

$ rm .ssh/* && ssh-add -D
All identities removed.

$ ssh-keygen -N '' -q -f .ssh/id_rsa && ln -f .ssh/{id_rsa.pub,authorized_keys} 
&& ssh-add
Identity added: /home/user/.ssh/id_rsa (user@ubuntu)

$ sudo -K; sudo id
uid=0(root) gid=0(root) groups=0(root)

Up to here works on everything I can find and serves to validate your
config is working. Let’s try ECDSA now:

$ rm -f .ssh/* && ssh-add -D
All identities removed.

$ ssh-keygen -N '' -q -t ECDSA -f .ssh/id_ecdsa && ln -f 
.ssh/{id_ecdsa.pub,authorized_keys} && ssh-add
Identity added: /home/user/.ssh/id_ecdsa (/home/user/.ssh/id_ecdsa)```

Crashes on 19.10-latest:
$ sudo -K; sudo id
Segmentation fault (core dumped)
$ dpkg-query -W libpam-ssh-agent-auth sudo
libpam-ssh-agent-auth:amd64     0.10.3-3build1
sudo    1.8.27-1ubuntu4.1

Works fine (same as RSA above) on 18.04.04-latest:
$ dpkg-query -W libpam-ssh-agent-auth sudo
libpam-ssh-agent-auth:amd64     0.10.3-1
sudo    1.8.21p2-3ubuntu1.2

Marking this security related in case it's exploitable because I don't
have time to check. (sorry! SIGSEGV in pam makes me nervous)

ProblemType: Crash
DistroRelease: Ubuntu 20.04
Package: sudo 1.8.31-1ubuntu1
ProcVersionSignature: Ubuntu 5.4.0-18.22-generic 5.4.24
Uname: Linux 5.4.0-18-generic x86_64
ApportVersion: 2.20.11-0ubuntu21
Architecture: amd64
Date: Sat Mar 28 10:22:49 2020
ExecutablePath: /usr/bin/sudo
InstallationDate: Installed on 2020-03-28 (0 days ago)
InstallationMedia: Ubuntu 20.04 LTS "Focal Fossa" - Alpha amd64 (20200324)
ProcCmdline: sudo id
ProcEnviron: Error: [Errno 13] Permission denied: 'environ'
ProcMaps: Error: [Errno 13] Permission denied: 'maps'
SegvAnalysis: Failure: invalid literal for int() with base 16: 'Error:'
Signal: 11
SourcePackage: sudo
StacktraceTop:
 BN_is_zero () from /lib/x86_64-linux-gnu/libcrypto.so.1.1
 ?? () from /lib/x86_64-linux-gnu/libcrypto.so.1.1
 ssh_ecdsa_verify () from /lib/x86_64-linux-gnu/security/pam_ssh_agent_auth.so
 userauth_pubkey_from_id () from 
/lib/x86_64-linux-gnu/security/pam_ssh_agent_auth.so
 pamsshagentauth_find_authorized_keys () from 
/lib/x86_64-linux-gnu/security/pam_ssh_agent_auth.so
Title: sudo crashed with SIGSEGV in BN_is_zero()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin lxd plugdev sambashare sudo
VisudoCheck:
 /etc/sudoers: parsed OK
 /etc/sudoers.d/README: parsed OK
mtime.conffile..etc.pam.d.sudo: 2020-03-28T10:21:40.587320
mtime.conffile..etc.sudoers: 2020-03-28T10:21:14.402924
separator:

** Affects: pam-ssh-agent-auth (Ubuntu)
     Importance: Undecided
     Assignee: Marc Deslauriers (mdeslaur)
         Status: In Progress

** Affects: pam-ssh-agent-auth (Ubuntu Eoan)
     Importance: Undecided
         Status: Confirmed

** Affects: pam-ssh-agent-auth (Ubuntu Focal)
     Importance: Undecided
     Assignee: Marc Deslauriers (mdeslaur)
         Status: In Progress


** Tags: amd64 apport-crash focal
-- 
sudo crashed with SIGSEGV in BN_is_zero() when using ECDSA keys with 
libpam-ssh-agent-auth
https://bugs.launchpad.net/bugs/1869512
You received this bug notification because you are a member of Ubuntu Bugs, 
which is subscribed to the bug report.

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to