[prev in list] [next in list] [prev in thread] [next in thread]
List: openssh-bugs
Subject: [Bug 3255] New: Problem in Pattern matching
From: bugzilla-daemon () mindrot ! org
Date: 2021-01-24 18:08:16
Message-ID: bug-3255-705 () https ! bugzilla ! mindrot ! org/
[Download RAW message or body]
https://bugzilla.mindrot.org/show_bug.cgi?id=3255
Bug ID: 3255
Summary: Problem in Pattern matching
Product: Portable OpenSSH
Version: 8.4p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: security
Priority: P5
Component: sshd
Assignee: unassigned-bugs@mindrot.org
Reporter: andres@antai-group.com
Created attachment 3467
--> https://bugzilla.mindrot.org/attachment.cgi?id=3467&action=edit
PoC - triggers infinite loop in match_pattern()
I have just uncovered a problem that seems to occur in match_pattern(),
a malcrafted input can send the function into an infinite loop.
NOTE: As match_pattern() is invoked from auth.c [allowed_user() ->
ga_match() -> match_pattern() ] for authentication checks, there could
be a security impact under a some contexts, this needs to be
investigated. Just in case, I am opening the issue as private.
This affects both, the server (sshd) and the client (ssh - if you load
a config file).
Impact
- Availability of server/client application
- There could be impact on confidentiality - call flow from from auth.c
to ga_match() -> ga_match() -> match_pattern() has to be investigated.
I am attaching a test scenario in which client/server get stock in
match_pattern() loop when attempting to load a malcrafted config file.
Filename: "infinite-loop.conf"
Quick Testing:
SERVER
/usr/sbin/sshd -f infinite-loop.conf
CLIENT
ssh -F infinite-loop.conf localhost
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic