Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Bud in Openssl when used with Openssh and PADLs nss_ldap

from [Markus Moeller] Network Security [Permanent Link]
Subject: Bud in Openssl when used with Openssh and PADLs nss_ldap
Date: Sun, 21 May 2006 22:53:15 +0100 
I am using Openssh 3.8.1p1 on Solaris 2.8 compiled with gcc 3.2.3.  I have 
nssswitch configured to use file and PADLs ldap module.
When I use nss_ldap without SSL In can login without problem, but with SSL 
enabled sshd crashes. I tried first openssl 0.9.6m which crashes in err_cmp 
(line 637):


 635 static int err_cmp(ERR_STRING_DATA *a, ERR_STRING_DATA *b)
 636         {
 637         return((int)(a->error-b->error));
 638         }
 639


#0  err_cmp (a=0xfee7adbc, b=0xfeb7adbc) at err.c:637
#1  0x950d8 in getrn (lh=0x134120, data=0xfeb7adbc, rhash=0x135350) at 
lhash.c:418
#2  0x94d40 in lh_insert (lh=0x134120, data=0xfeb7adbc) at lhash.c:189
#3  0x69e14 in ERR_load_strings (lib=218103808, str=0xfeb7adbc) at err.c:332
#4  0xfeb19de0 in ?? ()
#5  0xfeaf3d14 in ?? ()
#6  0xfef8422c in ?? ()
#7  0xff044e30 in ?? ()
#8  0xff046904 in ?? ()
#9  0xff028df4 in ?? ()
#10 0xff039020 in ?? ()
#11 0xff02896c in ?? ()
#12 0xff038bf0 in ?? ()
#13 0xff02eda0 in ?? ()
#14 0xff02f67c in ?? ()
#15 0xff072c90 in ?? ()
#16 0xff07292c in ?? ()
#17 0xff073ad0 in ?? ()
#18 0xff073f18 in ?? ()
#19 0xff076a60 in ?? ()
#20 0xff1498c4 in nss_search () from /usr/lib/libc.so.1
#21 0xff1994b0 in getspnam_r () from /usr/lib/libc.so.1
#22 0xfec737f0 in verify_local_name () from /lib/security/pam_krb5.so.1
#23 0xfec72734 in pam_sm_authenticate () from /lib/security/pam_krb5.so.1
#24 0xfed612a8 in pam_call_module (pamh=0x1246e8, library=0x121a68 
"/lib/security/pam_krb5.so.1", function=0xfed61b70 "pam_sm_authenticate", 
flags=0, argc=1, argv=0xffbec9a0) at pam_local.c:198
#25 0xfed611b0 in pam_choose_module (f=0xfed61b70 "pam_sm_authenticate", 
pamh=0x1246e8, flags=0, argc=-10240, argv=0x11ff18) at pam_local.c:109
#26 0xfed612e0 in pam_sm_authenticate (pamh=0x121a68, flags=-4269664, 
argc=-10240, argv=0x11ff18) at pam_local.c:223
#27 0xff373098 in run_stack () from /usr/lib/libpam.so.1
#28 0xff373320 in pam_authenticate () from /usr/lib/libpam.so.1
#29 0x3f654 in sshpam_thread (ctxtp=0x124400) at auth-pam.c:353
#30 0x3f150 in pthread_create (thread=0x124400, attr=0x0, 
thread_start=0x3f5a0 <sshpam_thread>, arg=0x124400) at auth-pam.c:127
#31 0x3fbf8 in sshpam_init_ctx (authctxt=0x122f50) at auth-pam.c:534
#32 0x36908 in auth2_challenge_start (authctxt=0x122f50) at 
auth2-chall.c:199
#33 0x36868 in auth2_challenge (authctxt=0x122f50, devs=0x150d90 "") at 
auth2-chall.c:168
#34 0x373d4 in userauth_kbdint (authctxt=0x122f50) at auth2-kbdint.c:50
#35 0x320b4 in input_userauth_request (type=50, seq=7, ctxt=0x122f50) at 
auth2.c:195
#36 0x5119c in dispatch_run (mode=0, done=0x122f50, ctxt=0x122f50) at 
dispatch.c:93
#37 0x31cf0 in do_authentication2 (authctxt=0x122f50) at auth2.c:94
#38 0x2ac3c in main (ac=7, av=0x26) at sshd.c:1481


When I use openssl 0.9.8b sshd crashes in obj_name_cmp(line 101):


  87 static int obj_name_cmp(OBJ_NAME *a, OBJ_NAME *b)
  88         {
  89         int ret;
  90
  91         ret=a->type-b->type;
  92         if (ret == 0)
  93                 {
  94                 if ((name_funcs_stack != NULL)
  95                         && (sk_NAME_FUNCS_num(name_funcs_stack) > 
a->type))
  96                         {
  97 
ret=sk_NAME_FUNCS_value(name_funcs_stack,a->type)
  98                                 ->cmp_func(a->name,b->name);
  99                         }
 100                 else
 101                         ret=strcmp(a->name,b->name);
 102                 }
 103         return(ret);
 104         }


#0  0xff132d58 in strcmp () from /usr/lib/libc.so.1
#1  0x96660 in obj_name_cmp (a=0x121788, b=0x142290) at o_names.c:101
#2  0x950d8 in getrn (lh=0x120c50, data=0x142290, rhash=0x142278) at 
lhash.c:418
#3  0x94d40 in lh_insert (lh=0x120c50, data=0x142290) at lhash.c:189
#4  0x96208 in OBJ_NAME_add (name=0x0, type=2, data=0xfee7163c "") at 
o_names.c:175
#5  0x6d978 in EVP_add_cipher (c=0xfee7163c) at names.c:71
#6  0xfeeb4f70 in SSL_library_init () from /opt/DBssllib/lib/libssl.so.0.9.8
#7  0xff04478c in ldap_pvt_tls_init () at tls.c:169
#8  0xff046298 in ldap_int_tls_start (ld=0x12cb00, conn=0x12cb90, 
srv=0x12dbe8) at tls.c:1332
#9  0xff02906c in ldap_int_open_connection (ld=0x12cb00, conn=0x12cb90, 
srv=0x12cbf0, async=0) at open.c:365
#10 0xff038a3c in ldap_new_connection (ld=0x12cb00, srvlist=0x12cbf0, 
use_ldsb=1, connect=1231856, bind=0x0) at request.c:315
#11 0xff028af0 in ldap_open_defconn (ld=0x12cb00) at open.c:30
#12 0xff0385c0 in ldap_send_initial_request (ld=0x12cb00, msgtype=96, 
dn=0xff08c1a3 "uid=unixclient,dc=group,dc=com", ber=0x12cc20) at 
request.c:98
#13 0xff02ef60 in ldap_sasl_bind (ld=0x12cb00, dn=0xff08c1a3 
"uid=unixclient,dc=group,dc=com", mechanism=0x0, cred=0xffbebe58, 
sctrls=0x0, cctrls=0x12cc20, msgidp=0xffbebe54) at sasl.c:148
#14 0xff02f720 in ldap_simple_bind (ld=0x12cb00, dn=0xff08c1a3 
"uid=unixclient,dc=group,dc=com", passwd=0xff08c1f8 "dummy") at sbind.c:81
#15 0xff072c90 in do_bind (ld=0x12cb00, timelimit=5, dn=0xff08c1a3 
"uid=unixclient,dc=group,dc=com", pw=0xff08c1f8 "dummy", with_sasl=0) at 
ldap-nss.c:1420
#16 0xff07292c in do_open () at ldap-nss.c:1277
#17 0xff073ad0 in _nss_ldap_search_s (args=0xffbec860, filterprot=0xff08e798 
"(&(objectclass=posixGroup)(memberUid=%s))",
sel=LM_GROUP, sizelimit=0, res=0xffbec85c) at ldap-ns.c:2285
#18 0xff074f68 in _nss_ldap_getgroupsbymember_r (be=0x12db88, 
args=0xffbecd5c) at ldap-grp.c:305
#19 0xff1498c4 in nss_search () from /usr/lib/libc.so.1
#20 0xff1986a0 in _getgroupsbymember () from /usr/lib/libc.so.1
#21 0xff140f08 in initgroups () from /usr/lib/libc.so.1
#22 0x30314 in temporarily_use_uid (pw=0x12b320) at uidswap.c:88
#23 0x37b54 in user_key_allowed2 (pw=0x12b320, key=0x12db70, file=0x12f280 
"/home/moelma/.ssh/authorized_keys2") at auth2-pubkey.c:179
#24 0x37eb0 in user_key_allowed (pw=0x12b320, key=0x12db70) at 
auth2-pubkey.c:264
#25 0x37aa4 in userauth_pubkey (authctxt=0x123408) at auth2-pubkey.c:142
#26 0x320b4 in input_userauth_request (type=50, seq=6, ctxt=0x123408) at 
auth2.c:195
#27 0x5119c in dispatch_run (mode=0, done=0x123408, ctxt=0x123408) at 
dispatch.c:93
#28 0x31cf0 in do_authentication2 (authctxt=0x123408) at auth2.c:94
#29 0x2ac3c in main (ac=11, av=0x2a) at sshd.c:1481


In both cases a->error and a->name respectively are NULL. Is there a fix for 
this ?


BTW It has been also reported on RedHat 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=121734 for pam_ldap.

Thanks
Markus
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Bud in Openssl when used with Openssh and PADLs nss_ldap, Markus Moeller <=
Previous by Date:  Re: rsync to port 8080, Darren Tucker
Next by Date:  Kerberos 5 authentication without password?, Jeff Blaine
Previous by Thread:  rsync to port 8080, Brent Clark
Next by Thread:  Kerberos 5 authentication without password?, Jeff Blaine
Indexes:  [Date] [Thread] [Top] [All Lists]