Subject: Re: PAM vulnerability in portable OpenSSH
To: Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= <firstname.lastname@example.org>
From: Damien Miller <email@example.com>
Date: 10/02/2003 20:26:03
On Thu, 2003-10-02 at 16:41, Dag-Erling Smørgrav wrote:
> Damien Miller <firstname.lastname@example.org> writes:
> > Dag-Erling Smørgrav wrote:
> > > XSSO page 89: "The parameter msg is a pointer to an array of length
> > > num_msg of the pam_message structure".
> > You don't seem to agree. The PAM code that you wrote for FreeBSD's
> > OpenSSH treats msg as an array of pointers, not a pointer to an array
> > of structs.
> Not quite. Part of the code treats it as an array of pointers, and
> part of it treats it as an array of structs. That is quite simply a
> mistake that went undetected because it has no impact in the common
> case (num_msg == 1) and I don't know of any PAM modules which exercise
> the uncommon case (num_msg > 1). In hindsight, of course, I should
> have written such a module for testing purposes.
Well, we saw instability on Solaris quite a while ago (2000?) because
Sun appeared to do the opposite. Linux PAM does the array of pointers
thing. So said one of the Linux-PAM developers anyway.
As a result we have had workaround code in portable OpenSSH since then
and have not received any complaints.
> > See my point? One of the vulnerabilities in the recent sshpam.adv was
> > due to a similar confusion.
> Not "a similar confusion"; it is the exact same code (which btw was
> cut'n'pasted from OpenPAM's openpam_ttyconv(3)).
To pick a nit: the problem was with the prompts rather than the msg
parameter (which doesn't get written to).