[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Public key authentication bugs

Subject: Public key authentication bugs
From: Tilo Eckert <tilo.eckert@xxxxxxx>
Reply-to: libssh@xxxxxxxxxx
Date: Thu, 11 Jun 2015 16:50:55 +0200
To: libssh@xxxxxxxxxx

Hi,

I found two related bugs when trying to authenticate with
ssh_userauth_publickey_auto() against an OpenSSH server that is
configured to require public key authentication followed by password
authentication, i.e. sshd_config contains the line:
AuthenticationMethods publickey,password

Bug #1: ssh_userauth_publickey_auto() does not handle the
SSH_AUTH_PARTIAL return code after the call to ssh_userauth_publickey()
and therefore behaves like we had sent a bad signature that does not
match the offered public key. So instead of SSH_AUTH_PARTIAL,
SSH_AUTH_DENIED is returned.

Bug #2: Due to Bug #1, session->auth_auto_state was free'd because
ssh_userauth_publickey() returned SSH_AUTH_PARTIAL, but none of the
following ifs handled its return code. The following access to the
'state' variable is a use-after-free, resulting in memory corruption (in
my case ssh_disconnect() segfaulted). So, this one is probably security
related.

I attached a patch that fixes both bugs.

Regards,
Tilo

From 69a1f2a1bb7b53e4faf582056b4576f6c07fe743 Mon Sep 17 00:00:00 2001
From: tilo <tilo.eckert@xxxxxxx>
Date: Thu, 11 Jun 2015 16:43:27 +0200
Subject: [PATCH 1/1] SSH_AUTH_PARTIAL is now correctly passed to the caller +
 fix for inherently unsafe return code handling

---
 src/auth.c | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)
 mode change 100644 => 100755 src/auth.c

diff --git a/src/auth.c b/src/auth.c
old mode 100644
new mode 100755
index 20cac90..da8c4d9
--- a/src/auth.c
+++ b/src/auth.c
@@ -1045,15 +1045,14 @@ int ssh_userauth_publickey_auto(ssh_session session,
                 ssh_key_free(state->privkey);
                 ssh_key_free(state->pubkey);
                 SAFE_FREE(session->auth_auto_state);
-            }
-            if (rc == SSH_AUTH_ERROR) {
-                return rc;
-            } else if (rc == SSH_AUTH_SUCCESS) {
-                SSH_LOG(SSH_LOG_INFO,
-                        "Successfully authenticated using %s",
-                        privkey_file);
+                if (rc == SSH_AUTH_SUCCESS) {
+                    SSH_LOG(SSH_LOG_INFO,
+                            "Successfully authenticated using %s",
+                            privkey_file);
+                }
                 return rc;
-            } else if (rc == SSH_AUTH_AGAIN){
+            }
+            if (rc == SSH_AUTH_AGAIN){
                 return rc;
             }
 
-- 
2.4.2

Follow-Ups:
Re: Public key authentication bugs	Tilo Eckert <tilo.eckert@xxxxxxx>

Archive administrator: postmaster@lists.cynapses.org