sudo crashed with SIGSEGV in BN_is_zero() when using ECDSA keys with libpam-ssh-agent-auth

Bug #1869512 reported by no
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pam-ssh-agent-auth (Debian)
Fix Released
Unknown
pam-ssh-agent-auth (Ubuntu)
Fix Released
Undecided
Marc Deslauriers
Eoan
Won't Fix
Undecided
Unassigned
Focal
Fix Released
Undecided
Marc Deslauriers

Bug Description

sudoers and pam sudo file attached. Steps to reproduce follow.

All operating systems except ubuntu 19.10 and 20.04 seem to work. This includes ubuntu 18.04, fedora 21, and centos 8. Copying pam-ssh-agent-auth.so from 18.04 to 19.10 works.

$ sudo diff /etc/sudoers{.orig,}
8a9
> Defaults env_keep+=SSH_AUTH_SOCK

$ sudo diff /etc/pam.d/sudo{.orig,}
2a3
> auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys

$ rm .ssh/* && ssh-add -D
All identities removed.

$ ssh-keygen -N '' -q -f .ssh/id_rsa && ln -f .ssh/{id_rsa.pub,authorized_keys} && ssh-add
Identity added: /home/user/.ssh/id_rsa (user@ubuntu)

$ sudo -K; sudo id
uid=0(root) gid=0(root) groups=0(root)

Up to here works on everything I can find and serves to validate your config is working. Let’s try ECDSA now:

$ rm -f .ssh/* && ssh-add -D
All identities removed.

$ ssh-keygen -N '' -q -t ECDSA -f .ssh/id_ecdsa && ln -f .ssh/{id_ecdsa.pub,authorized_keys} && ssh-add
Identity added: /home/user/.ssh/id_ecdsa (/home/user/.ssh/id_ecdsa)```

Crashes on 19.10-latest:
$ sudo -K; sudo id
Segmentation fault (core dumped)
$ dpkg-query -W libpam-ssh-agent-auth sudo
libpam-ssh-agent-auth:amd64 0.10.3-3build1
sudo 1.8.27-1ubuntu4.1

Works fine (same as RSA above) on 18.04.04-latest:
$ dpkg-query -W libpam-ssh-agent-auth sudo
libpam-ssh-agent-auth:amd64 0.10.3-1
sudo 1.8.21p2-3ubuntu1.2

Marking this security related in case it's exploitable because I don't have time to check. (sorry! SIGSEGV in pam makes me nervous)

ProblemType: Crash
DistroRelease: Ubuntu 20.04
Package: sudo 1.8.31-1ubuntu1
ProcVersionSignature: Ubuntu 5.4.0-18.22-generic 5.4.24
Uname: Linux 5.4.0-18-generic x86_64
ApportVersion: 2.20.11-0ubuntu21
Architecture: amd64
Date: Sat Mar 28 10:22:49 2020
ExecutablePath: /usr/bin/sudo
InstallationDate: Installed on 2020-03-28 (0 days ago)
InstallationMedia: Ubuntu 20.04 LTS "Focal Fossa" - Alpha amd64 (20200324)
ProcCmdline: sudo id
ProcEnviron: Error: [Errno 13] Permission denied: 'environ'
ProcMaps: Error: [Errno 13] Permission denied: 'maps'
SegvAnalysis: Failure: invalid literal for int() with base 16: 'Error:'
Signal: 11
SourcePackage: sudo
StacktraceTop:
 BN_is_zero () from /lib/x86_64-linux-gnu/libcrypto.so.1.1
 ?? () from /lib/x86_64-linux-gnu/libcrypto.so.1.1
 ssh_ecdsa_verify () from /lib/x86_64-linux-gnu/security/pam_ssh_agent_auth.so
 userauth_pubkey_from_id () from /lib/x86_64-linux-gnu/security/pam_ssh_agent_auth.so
 pamsshagentauth_find_authorized_keys () from /lib/x86_64-linux-gnu/security/pam_ssh_agent_auth.so
Title: sudo crashed with SIGSEGV in BN_is_zero()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin lxd plugdev sambashare sudo
VisudoCheck:
 /etc/sudoers: parsed OK
 /etc/sudoers.d/README: parsed OK
mtime.conffile..etc.pam.d.sudo: 2020-03-28T10:21:40.587320
mtime.conffile..etc.sudoers: 2020-03-28T10:21:14.402924
separator:

Revision history for this message
no (fogrizzled) wrote :
tags: removed: need-amd64-retrace
Revision history for this message
no (fogrizzled) wrote :

Correction: segv on debian 10, too. I'm sure you know better how to loop them in than I do.

no (fogrizzled)
description: updated
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello no, I've tried to discover the problem by reading the pam_ssh_agent_auth sources without much success so far.

Do you have any log messages from the authentication process in sudo logs? syslog? journalctl? The module may emit additional information that might suggest what's going on .

Thanks

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This is actually an issue in pam-ssh-agent-auth, and here's a possible patch to fix it.

affects: sudo (Ubuntu) → pam-ssh-agent-auth (Ubuntu)
Changed in pam-ssh-agent-auth (Ubuntu Eoan):
status: New → Confirmed
Changed in pam-ssh-agent-auth (Ubuntu Focal):
status: New → In Progress
assignee: nobody → Marc Deslauriers (mdeslaur)
information type: Private Security → Public Security
Revision history for this message
Seth Arnold (seth-arnold) wrote :

This was reported upstream a few months ago but apparently still unfixed:

https://github.com/jbeverly/pam_ssh_agent_auth/issues/18

Thanks

Changed in pam-ssh-agent-auth (Ubuntu Focal):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pam-ssh-agent-auth - 0.10.3-3ubuntu1

---------------
pam-ssh-agent-auth (0.10.3-3ubuntu1) focal; urgency=medium

  * Fix segfault when using ECDSA keys (LP: #1869512)
    - debian/patches/lp1869512.patch: properly initialize memory in
      ssh-ecdsa.c.

 -- Marc Deslauriers <email address hidden> Fri, 10 Apr 2020 12:48:27 -0400

Changed in pam-ssh-agent-auth (Ubuntu Focal):
status: Fix Committed → Fix Released
Changed in pam-ssh-agent-auth (Debian):
status: Unknown → New
Revision history for this message
Brian Murray (brian-murray) wrote :

The Eoan Ermine has reached end of life, so this bug will not be fixed for that release

Changed in pam-ssh-agent-auth (Ubuntu Eoan):
status: Confirmed → Won't Fix
Changed in pam-ssh-agent-auth (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.