Ubuntu
pam-pgsql package

PAM pgsql buffer overflow when dealing with long addresses

Bug #722386 reported by berend
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pam-pgsql (Debian)
Fix Released
Unknown
pam-pgsql (Ubuntu)
Fix Released
Medium
Unassigned
Lucid
Won't Fix
Undecided
Unassigned
Maverick
Won't Fix
Undecided
Unassigned
Natty
Fix Released
Medium
Unassigned

Bug Description

Hi All,

On Amazon EC2 sshd crashes for logins from certain IP addresses. Situation:

I've sshd setup to allow password logins, i.e. in /etc/ssh/sshd_config I have:

PasswordAuthentication yes

I can login from some ip addresses, but not others. This is a failed attempt (same user name), with sshd started on port 1090:

$ /usr/sbin/sshd -d -p 1090 -f /etc/ssh/sshd_config

The main thing is this message below:

*** buffer overflow detected ***: sshd: berend [priv] terminated

I've been advised to report the bug here: http://ubuntuforums.org/showthread.php?p=10477762#post10477762

Here the full details:

debug1: sshd version OpenSSH_5.3p1 Debian-3ubuntu5
debug1: read PEM private key done: type RSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[3]='1090'
debug1: rexec_argv[4]='-f'
debug1: rexec_argv[5]='/etc/ssh/sshd_config'
debug1: Bind to port 1090 on 0.0.0.0.
Server listening on 0.0.0.0 port 1090.
debug1: Bind to port 1090 on ::.
Server listening on :: port 1090.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 124.198.140.142 port 58881
debug1: Client protocol version 2.0; client software version OpenSSH_5.5p1 Debian-4ubuntu5
debug1: match: OpenSSH_5.5p1 Debian-4ubuntu5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu5
debug1: permanently_set_uid: 104/65534
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user berend service ssh-connection method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "berend"
debug1: PAM: setting PAM_RHOST to "124-198-140-142.dynamic.dsl.maxnet.co.nz"
debug1: PAM: setting PAM_TTY to "ssh"
Failed none for berend from 124.198.140.142 port 58881 ssh2
debug1: userauth-request for user berend service ssh-connection method password
debug1: attempt 1 failures 0
*** buffer overflow detected ***: sshd: berend [priv] terminated
======= Backtrace: =========
/lib/tls/i686/nosegneg/libc.so.6(__fortify_fail+0x50)[0xb7501320]
/lib/tls/i686/nosegneg/libc.so.6(+0xe421a)[0xb750021a]
/lib/tls/i686/nosegneg/libc.so.6(+0xe3958)[0xb74ff958]
/lib/tls/i686/nosegneg/libc.so.6(_IO_default_xsputn+0x9e)[0xb748685e]
/lib/tls/i686/nosegneg/libc.so.6(_IO_vfprintf+0xe34)[0xb7459eb4]
/lib/tls/i686/nosegneg/libc.so.6(__vsprintf_chk+0xad)[0xb74ffa0d]
/lib/tls/i686/nosegneg/libc.so.6(__sprintf_chk+0x2d)[0xb74ff94d]
/lib/security/pam_pgsql.so(pg_execParam+0xac)[0xb78318dc]
/lib/security/pam_pgsql.so(backend_authenticate+0x69)[0xb7832199]
/lib/security/pam_pgsql.so(pam_sm_authenticate+0x1b3)[0xb782f8f3]
/lib/libpam.so.0(+0x26ad)[0xb781a6ad]
/lib/libpam.so.0(pam_authenticate+0x4d)[0xb7819ebd]
sshd: berend [priv](+0x2bcd6)[0xb7884cd6]
sshd: berend [priv](+0xd13f)[0xb786613f]
sshd: berend [priv](+0x225f2)[0xb787b5f2]
sshd: berend [priv](+0x22daa)[0xb787bdaa]
sshd: berend [priv](+0x23779)[0xb787c779]
sshd: berend [priv](main+0x2761)[0xb7864e61]
/lib/tls/i686/nosegneg/libc.so.6(__libc_start_main+0xe6)[0xb7432bd6]
sshd: berend [priv](+0x8021)[0xb7861021]
======= Memory map: ========
b6e4f000-b6e6c000 r-xp 00000000 08:01 17215334 /lib/libgcc_s.so.1
b6e6c000-b6e6d000 r--p 0001c000 08:01 17215334 /lib/libgcc_s.so.1
b6e6d000-b6e6e000 rw-p 0001d000 08:01 17215334 /lib/libgcc_s.so.1
b6e6e000-b6e72000 r-xp 00000000 08:01 17068672 /lib/libnss_pgsql.so.2.0.0
b6e72000-b6e73000 r--p 00003000 08:01 17068672 /lib/libnss_pgsql.so.2.0.0
b6e73000-b6e74000 rw-p 00004000 08:01 17068672 /lib/libnss_pgsql.so.2.0.0
b6e74000-b6e7a000 r-xp 00000000 08:01 51648832 /usr/lib/libcrack.so.2.8.1
b6e7a000-b6e7b000 r--p 00006000 08:01 51648832 /usr/lib/libcrack.so.2.8.1
b6e7b000-b6e7c000 rw-p 00007000 08:01 51648832 /usr/lib/libcrack.so.2.8.1
b6e7c000-b6e7f000 rw-p 00000000 00:00 0
b6e88000-b6e8b000 r-xp 00000000 08:01 34566689 /lib/security/pam_cracklib.so
b6e8b000-b6e8c000 r--p 00002000 08:01 34566689 /lib/security/pam_cracklib.so
b6e8c000-b6e8d000 rw-p 00003000 08:01 34566689 /lib/security/pam_cracklib.so
b6e8d000-b6e91000 r-xp 00000000 08:01 34016968 /lib/security/pam_limits.so
b6e91000-b6e92000 r--p 00003000 08:01 34016968 /lib/security/pam_limits.so
b6e92000-b6e93000 rw-p 00004000 08:01 34016968 /lib/security/pam_limits.so
b6e93000-b6e9a000 r-xp 00000000 08:01 16813134 /lib/tls/i686/nosegneg/librt-2.11.1.so
b6e9a000-b6e9b000 r--p 00006000 08:01 16813134 /lib/tls/i686/nosegneg/librt-2.11.1.so
b6e9b000-b6e9c000 rw-p 00007000 08:01 16813134 /lib/tls/i686/nosegneg/librt-2.11.1.so
b6e9c000-b6ed3000 r-xp 00000000 08:01 17241254 /lib/libdbus-1.so.3.4.0
b6ed3000-b6ed4000 r--p 00036000 08:01 17241254 /lib/libdbus-1.so.3.4.0
b6ed4000-b6ed5000 rw-p 00037000 08:01 17241254 /lib/libdbus-1.so.3.4.0
b6ed5000-b6ed7000 r-xp 00000000 08:01 51637386 /usr/lib/libck-connector.so.0.0.0
b6ed7000-b6ed8000 ---p 00002000 08:01 51637386 /usr/lib/libck-connector.so.0.0.0
b6ed8000-b6ed9000 r--p 00002000 08:01 51637386 /usr/lib/libck-connector.so.0.0.0
b6ed9000-b6eda000 rw-p 00003000 08:01 51637386 /usr/lib/libck-connector.so.0.0.0
b6edb000-b6edd000 r-xp 00000000 08:01 34016959 /lib/security/pam_mail.so
b6edd000-b6ede000 r--p 00001000 08:01 34016959 /lib/security/pam_mail.so
b6ede000-b6edf000 rw-p 00002000 08:01 34016959 /lib/security/pam_mail.so
b6edf000-b6ee1000 r-xp 00000000 08:01 34016964 /lib/security/pam_motd.so
b6ee1000-b6ee2000 r--p 00001000 08:01 34016964 /lib/security/pam_motd.so
b6ee2000-b6ee3000 rw-p 00002000 08:01 34016964 /lib/security/pam_motd.so
b6ee3000-b6ee5000 r-xp 00000000 08:01 33597025 /lib/security/pam_ck_connector.so
b6ee5000-b6ee6000 r--p 00001000 08:01 33597025 /lib/security/pam_ck_connector.so
b6ee6000-b6ee7000 rw-p 00002000 08:01 33597025 /lib/security/pam_ck_connector.so
b6ee7000-b6eea000 r-xp 00000000 08:01 17215332 /lib/libgpg-error.so.0.4.0
b6eea000-b6eeb000 r--p 00002000 08:01 17215332 /lib/libgpg-error.so.0.4.0
b6eeb000-b6eec000 rw-p 00003000 08:01 17215332 /lib/libgpg-error.so.0.4.0
b6eec000-b6f5c000 r-xp 00000000 08:01 17031231 /lib/libgcrypt.so.11.5.2
b6f5c000-b6f5d000 r--p 00070000 08:01 17031231 /lib/libgcrypt.so.11.5.2
b6f5d000-b6f5f000 rw-p 00071000 08:01 17031231 /lib/libgcrypt.so.11.5.2
b6f5f000-b6f6e000 r-xp 00000000 08:01 50331789 /usr/lib/libtasn1.so.3.1.7
b6f6e000-b6f6f000 r--p 0000e000 08:01 50331789 /usr/lib/libtasn1.so.3.1.7
b6f6f000-b6f70000 rw-p 0000f000 08:01 50331789 /usr/lib/libtasn1.so.3.1.7
b6f70000-b7006000 r-xp 00000000 08:01 50332370 /usr/lib/libgnutls.so.26.14.12
b7006000-b700a000 r--p 00095000 08:01 50332370 /usr/lib/libgnutls.so.26.14.12
b700a000-b700b000 rw-p 00099000 08:01 50332370 /usr/lib/libgnutls.so.26.14.12
b700b000-b7021000 r-xp 00000000 08:01 50331792 /usr/lib/libsasl2.so.2.0.23
b7021000-b7022000 r--p 00015000 08:01 50331792 /usr/lib/libsasl2.so.2.0.23
b7022000-b7023000 rw-p 00016000 08:01 50331792 /usr/lib/libsasl2.so.2.0.23
b7023000-b702e000 r-xp 00000000 08:01 50332673 /usr/lib/liblber-2.4.so.2.5.4
b702e000-b702f000 r--p 0000a000 08:01 50332673 /usr/lib/liblber-2.4.so.2.5.4
b702f000-b7030000 rw-p 0000b000 08:01 50332673 /usr/lib/liblber-2.4.so.2.5.4
b7030000-b7074000 r-xp 00000000 08:01 50331818 /usr/lib/libldap_r-2.4.so.2.5.4
b7074000-b7075000 r--p 00043000 08:01 50331818 /usr/lib/libldap_r-2.4.so.2.5.4
b7075000-b7076000 rw-p 00044000 08:01 50331818 /usr/lib/libldap_r-2.4.so.2.5.4
b7076000-b7077000 rw-p 00000000 00:00 0
b7077000-b70bb000 r-xp 00000000 08:01 33784538 /lib/i686/cmov/libssl.so.0.9.8
b70bb000-b70bc000 r--p 00044000 08:01 33784538 /lib/i686/cmov/libssl.so.0.9.8
b70bc000-b70bf000 rw-p 00045000 08:01 33784538 /lib/i686/cmov/libssl.so.0.9.8
b70bf000-b70c1000 r-xp 00000000 08:01 17215697 /lib/libpam_misc.so.0.82.0
b70c1000-b70c2000 r--p 00001000 08:01 17215697 /lib/libpam_misc.so.0.82.0
b70c2000-b70c3000 rw-p 00002000 08:01 17215697 /lib/libpam_misc.so.0.82.0
b70c3000-b70e4000 r-xp 00000000 08:01 50389190 /usr/lib/libpq.so.5.2
b70e4000-b70e5000 r--p 00020000 08:01 50389190 /usr/lib/libpq.so.5.2
b70e5000-b70e6000 rw-p 00021000 08:01 50389190 /usr/lib/libpq.so.5.2
b70e6000-b70e7000 r-xp 00000000 08:01 34016973 /lib/security/pam_nologin.so
b70e7000-b70e8000 r--p 00000000 08:01 34016973 /lib/security/pam_nologin.so
b70e8000-b70e9000 rw-p 00001000 08:01 34016973 /lib/security/pam_nologin.so
b70e9000-b70ea000 r-xp 00000000 08:01 34016949 /lib/security/pam_permit.so
b70ea000-b70eb000 r--p 00000000 08:01 34016949 /lib/security/pam_permit.so
b70eb000-b70ec000 rw-p 00001000 08:01 34016949 /lib/security/pam_permit.so
b70ec000-b70ed000 r-xp 00000000 08:01 34016974 /lib/security/pam_deny.so
b70ed000-b70ee000 r--p 00000000 08:01 34016974 /lib/security/pam_deny.so
b70ee000-b70ef000 rw-p 00001000 08:01 34016974 /lib/security/pam_deny.sodebug1: do_cleanup
Aborted

Here is a correct login, same name, just connecting from a different ip address:

# /usr/sbin/sshd -d -p 1090 -f /etc/ssh/sshd_config
debug1: sshd version OpenSSH_5.3p1 Debian-3ubuntu5
debug1: read PEM private key done: type RSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[3]='1090'
debug1: rexec_argv[4]='-f'
debug1: rexec_argv[5]='/etc/ssh/sshd_config'
debug1: Bind to port 1090 on 0.0.0.0.
Server listening on 0.0.0.0 port 1090.
debug1: Bind to port 1090 on ::.
Server listening on :: port 1090.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 50.17.251.129 port 50786
debug1: Client protocol version 2.0; client software version OpenSSH_5.3p1 Debian-3ubuntu5
debug1: match: OpenSSH_5.3p1 Debian-3ubuntu5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu5
debug1: permanently_set_uid: 104/65534
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user berend service ssh-connection method none
debug1: attempt 0 failures 0
Address 50.17.251.129 maps to smtp3.xplainhosting.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
debug1: PAM: initializing for "berend"
debug1: PAM: setting PAM_RHOST to "50.17.251.129"
debug1: PAM: setting PAM_TTY to "ssh"
Failed none for berend from 50.17.251.129 port 50786 ssh2
debug1: userauth-request for user berend service ssh-connection method password
debug1: attempt 1 failures 0
debug1: PAM: password authentication accepted for berend
debug1: do_pam_account: called
Accepted password for berend from 50.17.251.129 port 50786 ssh2
debug1: monitor_child_preauth: berend has been authenticated by privileged process
debug1: PAM: establishing credentials
User child is on pid 22181
debug1: SELinux support disabled
debug1: PAM: establishing credentials
debug1: permanently_set_uid: 1002/1001
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_global_request: rtype <email address hidden> want_reply 0
debug1: server_input_channel_req: channel 0 request pty-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_new: session 0
debug1: SELinux support disabled
debug1: session_pty_req: session 0 alloc /dev/pts/2
debug1: server_input_channel_req: channel 0 request env reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req env
debug1: server_input_channel_req: channel 0 request shell reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: Setting controlling tty using TIOCSCTTY.

I'm truly baffled what is happening here. This is also a new development, not sure exactly when it started, but somewhere along the Ubuntu 10.04 AMI updates, possibly in the last 2 months or so.

The crash only happens from certain ip addresses. I can always login when using a key, crashes only happen when I request that a password is to be typed in.

Thanks,

Berend.

berend (berenddeboer)
security vulnerability: no → yes
Revision history for this message
Kees Cook (kees) wrote :

The backtrace shows that this is from the pgsql PAM module. A quick check of the code shows that it is assuming that h_addr is always an IPv4 when it may not be, resulting in a potential overflow of the buffer it creates to hold an IP address.

affects: openssh (Ubuntu) → pam-pgsql (Ubuntu)
Changed in pam-pgsql (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
summary: - sshd buffer overflow detected crash from certain ip addresses
+ PAM pgsql buffer overflow when dealing with IPv6 addresses
Revision history for this message
Kees Cook (kees) wrote : Re: PAM pgsql buffer overflow when dealing with IPv6 addresses

src/backend_pgsql.c pg_execParam():

        if(rhost != NULL && (hentry = gethostbyname(rhost)) != NULL) {
                /* Make IP string */
                raddr = malloc(16);
                sprintf(raddr, "%d.%d.%d.%d",
                        hentry->h_addr_list[0][0],
                        hentry->h_addr_list[0][1],
                        hentry->h_addr_list[0][2],
                        hentry->h_addr_list[0][3]);

summary: - PAM pgsql buffer overflow when dealing with IPv6 addresses
+ PAM pgsql buffer overflow when dealing with long addresses
Revision history for this message
Kees Cook (kees) wrote :

While 16 bytes should be enough for any IPv4 address, I wonder if this was resolving AAAA records for the host? Regardless, the crash was still seen.

Revision history for this message
Kees Cook (kees) wrote :

Ah, right. %d will produce signed output for the signed char values in h_addr_list:

int main(int argc, char * argv[])
{
    char h_addr_list[4] = { 124, 198, 140, 142 };

    printf("%d.%d.%d.%d\n",
        h_addr_list[0], h_addr_list[1],
        h_addr_list[2], h_addr_list[3]);

    printf("%d.%d.%d.%d\n",
        (unsigned char)h_addr_list[0], (unsigned char)h_addr_list[1],
        (unsigned char)h_addr_list[2], (unsigned char)h_addr_list[3]);

    return 0;
}

$ ./test
124.-58.-116.-114
124.198.140.142

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pam-pgsql - 0.7.1-4ubuntu1

---------------
pam-pgsql (0.7.1-4ubuntu1) natty; urgency=low

  * debian/patches/ipaddr-crash.patch: fix crash on long addresses that
    trigger signedness in "%d" (LP: #722386, Closes: 603436).
 -- Kees Cook <email address hidden> Mon, 21 Feb 2011 11:07:34 -0800

Changed in pam-pgsql (Ubuntu):
status: Confirmed → Fix Released
Kees Cook (kees)
Changed in pam-pgsql (Ubuntu Maverick):
status: New → Triaged
Changed in pam-pgsql (Ubuntu Lucid):
status: New → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in pam-pgsql (Debian):
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in pam-pgsql (Debian):
status: New → Fix Released
Revision history for this message
Ruben (info-rubenfelix) wrote : Re: [Bug 722386] Re: PAM pgsql buffer overflow when dealing with long addresses

Hey!

Bedankt voor je mail! Ik ben er even tussenuit geknepen naar een lekker warm land! Ik beantwoord je mail na mijn vakantie (11 oktober).

Groetjes!

Ruben

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in pam-pgsql (Ubuntu Maverick):
status: Triaged → Won't Fix
Revision history for this message
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in pam-pgsql (Ubuntu Lucid):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.