PAM pgsql buffer overflow when dealing with long addresses
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pam-pgsql (Debian) |
Fix Released
|
Unknown
|
|||
pam-pgsql (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Lucid |
Won't Fix
|
Undecided
|
Unassigned | ||
Maverick |
Won't Fix
|
Undecided
|
Unassigned | ||
Natty |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Hi All,
On Amazon EC2 sshd crashes for logins from certain IP addresses. Situation:
I've sshd setup to allow password logins, i.e. in /etc/ssh/
PasswordAuthent
I can login from some ip addresses, but not others. This is a failed attempt (same user name), with sshd started on port 1090:
$ /usr/sbin/sshd -d -p 1090 -f /etc/ssh/
The main thing is this message below:
*** buffer overflow detected ***: sshd: berend [priv] terminated
I've been advised to report the bug here: http://
Here the full details:
debug1: sshd version OpenSSH_5.3p1 Debian-3ubuntu5
debug1: read PEM private key done: type RSA
debug1: Checking blacklist file /usr/share/
debug1: Checking blacklist file /etc/ssh/
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: Checking blacklist file /usr/share/
debug1: Checking blacklist file /etc/ssh/
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[
debug1: rexec_argv[1]='-d'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[
debug1: rexec_argv[4]='-f'
debug1: rexec_argv[
debug1: Bind to port 1090 on 0.0.0.0.
Server listening on 0.0.0.0 port 1090.
debug1: Bind to port 1090 on ::.
Server listening on :: port 1090.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 124.198.140.142 port 58881
debug1: Client protocol version 2.0; client software version OpenSSH_5.5p1 Debian-4ubuntu5
debug1: match: OpenSSH_5.5p1 Debian-4ubuntu5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-
debug1: permanently_
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: SSH2_MSG_
debug1: SSH2_MSG_
debug1: expecting SSH2_MSG_
debug1: SSH2_MSG_
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user berend service ssh-connection method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "berend"
debug1: PAM: setting PAM_RHOST to "124-198-
debug1: PAM: setting PAM_TTY to "ssh"
Failed none for berend from 124.198.140.142 port 58881 ssh2
debug1: userauth-request for user berend service ssh-connection method password
debug1: attempt 1 failures 0
*** buffer overflow detected ***: sshd: berend [priv] terminated
======= Backtrace: =========
/lib/tls/
/lib/tls/
/lib/tls/
/lib/tls/
/lib/tls/
/lib/tls/
/lib/tls/
/lib/security/
/lib/security/
/lib/security/
/lib/libpam.
/lib/libpam.
sshd: berend [priv](
sshd: berend [priv](
sshd: berend [priv](
sshd: berend [priv](
sshd: berend [priv](
sshd: berend [priv](
/lib/tls/
sshd: berend [priv](
======= Memory map: ========
b6e4f000-b6e6c000 r-xp 00000000 08:01 17215334 /lib/libgcc_s.so.1
b6e6c000-b6e6d000 r--p 0001c000 08:01 17215334 /lib/libgcc_s.so.1
b6e6d000-b6e6e000 rw-p 0001d000 08:01 17215334 /lib/libgcc_s.so.1
b6e6e000-b6e72000 r-xp 00000000 08:01 17068672 /lib/libnss_
b6e72000-b6e73000 r--p 00003000 08:01 17068672 /lib/libnss_
b6e73000-b6e74000 rw-p 00004000 08:01 17068672 /lib/libnss_
b6e74000-b6e7a000 r-xp 00000000 08:01 51648832 /usr/lib/
b6e7a000-b6e7b000 r--p 00006000 08:01 51648832 /usr/lib/
b6e7b000-b6e7c000 rw-p 00007000 08:01 51648832 /usr/lib/
b6e7c000-b6e7f000 rw-p 00000000 00:00 0
b6e88000-b6e8b000 r-xp 00000000 08:01 34566689 /lib/security/
b6e8b000-b6e8c000 r--p 00002000 08:01 34566689 /lib/security/
b6e8c000-b6e8d000 rw-p 00003000 08:01 34566689 /lib/security/
b6e8d000-b6e91000 r-xp 00000000 08:01 34016968 /lib/security/
b6e91000-b6e92000 r--p 00003000 08:01 34016968 /lib/security/
b6e92000-b6e93000 rw-p 00004000 08:01 34016968 /lib/security/
b6e93000-b6e9a000 r-xp 00000000 08:01 16813134 /lib/tls/
b6e9a000-b6e9b000 r--p 00006000 08:01 16813134 /lib/tls/
b6e9b000-b6e9c000 rw-p 00007000 08:01 16813134 /lib/tls/
b6e9c000-b6ed3000 r-xp 00000000 08:01 17241254 /lib/libdbus-
b6ed3000-b6ed4000 r--p 00036000 08:01 17241254 /lib/libdbus-
b6ed4000-b6ed5000 rw-p 00037000 08:01 17241254 /lib/libdbus-
b6ed5000-b6ed7000 r-xp 00000000 08:01 51637386 /usr/lib/
b6ed7000-b6ed8000 ---p 00002000 08:01 51637386 /usr/lib/
b6ed8000-b6ed9000 r--p 00002000 08:01 51637386 /usr/lib/
b6ed9000-b6eda000 rw-p 00003000 08:01 51637386 /usr/lib/
b6edb000-b6edd000 r-xp 00000000 08:01 34016959 /lib/security/
b6edd000-b6ede000 r--p 00001000 08:01 34016959 /lib/security/
b6ede000-b6edf000 rw-p 00002000 08:01 34016959 /lib/security/
b6edf000-b6ee1000 r-xp 00000000 08:01 34016964 /lib/security/
b6ee1000-b6ee2000 r--p 00001000 08:01 34016964 /lib/security/
b6ee2000-b6ee3000 rw-p 00002000 08:01 34016964 /lib/security/
b6ee3000-b6ee5000 r-xp 00000000 08:01 33597025 /lib/security/
b6ee5000-b6ee6000 r--p 00001000 08:01 33597025 /lib/security/
b6ee6000-b6ee7000 rw-p 00002000 08:01 33597025 /lib/security/
b6ee7000-b6eea000 r-xp 00000000 08:01 17215332 /lib/libgpg-
b6eea000-b6eeb000 r--p 00002000 08:01 17215332 /lib/libgpg-
b6eeb000-b6eec000 rw-p 00003000 08:01 17215332 /lib/libgpg-
b6eec000-b6f5c000 r-xp 00000000 08:01 17031231 /lib/libgcrypt.
b6f5c000-b6f5d000 r--p 00070000 08:01 17031231 /lib/libgcrypt.
b6f5d000-b6f5f000 rw-p 00071000 08:01 17031231 /lib/libgcrypt.
b6f5f000-b6f6e000 r-xp 00000000 08:01 50331789 /usr/lib/
b6f6e000-b6f6f000 r--p 0000e000 08:01 50331789 /usr/lib/
b6f6f000-b6f70000 rw-p 0000f000 08:01 50331789 /usr/lib/
b6f70000-b7006000 r-xp 00000000 08:01 50332370 /usr/lib/
b7006000-b700a000 r--p 00095000 08:01 50332370 /usr/lib/
b700a000-b700b000 rw-p 00099000 08:01 50332370 /usr/lib/
b700b000-b7021000 r-xp 00000000 08:01 50331792 /usr/lib/
b7021000-b7022000 r--p 00015000 08:01 50331792 /usr/lib/
b7022000-b7023000 rw-p 00016000 08:01 50331792 /usr/lib/
b7023000-b702e000 r-xp 00000000 08:01 50332673 /usr/lib/
b702e000-b702f000 r--p 0000a000 08:01 50332673 /usr/lib/
b702f000-b7030000 rw-p 0000b000 08:01 50332673 /usr/lib/
b7030000-b7074000 r-xp 00000000 08:01 50331818 /usr/lib/
b7074000-b7075000 r--p 00043000 08:01 50331818 /usr/lib/
b7075000-b7076000 rw-p 00044000 08:01 50331818 /usr/lib/
b7076000-b7077000 rw-p 00000000 00:00 0
b7077000-b70bb000 r-xp 00000000 08:01 33784538 /lib/i686/
b70bb000-b70bc000 r--p 00044000 08:01 33784538 /lib/i686/
b70bc000-b70bf000 rw-p 00045000 08:01 33784538 /lib/i686/
b70bf000-b70c1000 r-xp 00000000 08:01 17215697 /lib/libpam_
b70c1000-b70c2000 r--p 00001000 08:01 17215697 /lib/libpam_
b70c2000-b70c3000 rw-p 00002000 08:01 17215697 /lib/libpam_
b70c3000-b70e4000 r-xp 00000000 08:01 50389190 /usr/lib/
b70e4000-b70e5000 r--p 00020000 08:01 50389190 /usr/lib/
b70e5000-b70e6000 rw-p 00021000 08:01 50389190 /usr/lib/
b70e6000-b70e7000 r-xp 00000000 08:01 34016973 /lib/security/
b70e7000-b70e8000 r--p 00000000 08:01 34016973 /lib/security/
b70e8000-b70e9000 rw-p 00001000 08:01 34016973 /lib/security/
b70e9000-b70ea000 r-xp 00000000 08:01 34016949 /lib/security/
b70ea000-b70eb000 r--p 00000000 08:01 34016949 /lib/security/
b70eb000-b70ec000 rw-p 00001000 08:01 34016949 /lib/security/
b70ec000-b70ed000 r-xp 00000000 08:01 34016974 /lib/security/
b70ed000-b70ee000 r--p 00000000 08:01 34016974 /lib/security/
b70ee000-b70ef000 rw-p 00001000 08:01 34016974 /lib/security/
Aborted
Here is a correct login, same name, just connecting from a different ip address:
# /usr/sbin/sshd -d -p 1090 -f /etc/ssh/
debug1: sshd version OpenSSH_5.3p1 Debian-3ubuntu5
debug1: read PEM private key done: type RSA
debug1: Checking blacklist file /usr/share/
debug1: Checking blacklist file /etc/ssh/
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: Checking blacklist file /usr/share/
debug1: Checking blacklist file /etc/ssh/
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[
debug1: rexec_argv[1]='-d'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[
debug1: rexec_argv[4]='-f'
debug1: rexec_argv[
debug1: Bind to port 1090 on 0.0.0.0.
Server listening on 0.0.0.0 port 1090.
debug1: Bind to port 1090 on ::.
Server listening on :: port 1090.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 50.17.251.129 port 50786
debug1: Client protocol version 2.0; client software version OpenSSH_5.3p1 Debian-3ubuntu5
debug1: match: OpenSSH_5.3p1 Debian-3ubuntu5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-
debug1: permanently_
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: SSH2_MSG_
debug1: SSH2_MSG_
debug1: expecting SSH2_MSG_
debug1: SSH2_MSG_
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user berend service ssh-connection method none
debug1: attempt 0 failures 0
Address 50.17.251.129 maps to smtp3.xplainhos
debug1: PAM: initializing for "berend"
debug1: PAM: setting PAM_RHOST to "50.17.251.129"
debug1: PAM: setting PAM_TTY to "ssh"
Failed none for berend from 50.17.251.129 port 50786 ssh2
debug1: userauth-request for user berend service ssh-connection method password
debug1: attempt 1 failures 0
debug1: PAM: password authentication accepted for berend
debug1: do_pam_account: called
Accepted password for berend from 50.17.251.129 port 50786 ssh2
debug1: monitor_
debug1: PAM: establishing credentials
User child is on pid 22181
debug1: SELinux support disabled
debug1: PAM: establishing credentials
debug1: permanently_
debug1: Entering interactive session for SSH2.
debug1: server_
debug1: server_
debug1: input_session_
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_
debug1: server_
debug1: server_
debug1: session_by_channel: session 0 channel 0
debug1: session_
debug1: Allocating pty.
debug1: session_new: session 0
debug1: SELinux support disabled
debug1: session_pty_req: session 0 alloc /dev/pts/2
debug1: server_
debug1: session_by_channel: session 0 channel 0
debug1: session_
debug1: server_
debug1: session_by_channel: session 0 channel 0
debug1: session_
debug1: Setting controlling tty using TIOCSCTTY.
I'm truly baffled what is happening here. This is also a new development, not sure exactly when it started, but somewhere along the Ubuntu 10.04 AMI updates, possibly in the last 2 months or so.
The crash only happens from certain ip addresses. I can always login when using a key, crashes only happen when I request that a password is to be typed in.
Thanks,
Berend.
security vulnerability: | no → yes |
Changed in pam-pgsql (Ubuntu Maverick): | |
status: | New → Triaged |
Changed in pam-pgsql (Ubuntu Lucid): | |
status: | New → Triaged |
Changed in pam-pgsql (Debian): | |
status: | Unknown → New |
Changed in pam-pgsql (Debian): | |
status: | New → Fix Released |
The backtrace shows that this is from the pgsql PAM module. A quick check of the code shows that it is assuming that h_addr is always an IPv4 when it may not be, resulting in a potential overflow of the buffer it creates to hold an IP address.