Minor OpenSSH/pam vuln (non-exploitable)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Minor OpenSSH/pam vuln (non-exploitable)
From: <das@xxxxxxxxxxxxxxxx>
Date: 13 Nov 2003 12:23:15 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


The home page of the one time password system (or otpw -- 
http://www.cl.cam.ac.uk/~mgk25/otpw.html) has info about how OpenSSH doesn't 
correctly return PAM_CONV_ERR when a user cancels a login (but instead 
incorrectly calls pam_end() having the side effect that memory is not correctly 
scrubbed (or who knows what for other PAM modules). This info comes directly 
from the aforementioned website.

This has been reported via the appropriate bugzilla 
(http://bugzilla.mindrot.org/show_bug.cgi?id=632) but not yet fixed. 

If there are any hardware security tokens (for example) which might fail to go 
back to a locked state due to this bug then it might introduce an exploitable 
vulnerability in that situation. Otherwise, it just fails to provide all the 
security assurances it should (with respect to scrubbing the ram).

If anyone who knows more about pam and OpenSSH has any further analysis to add, 
it would be much appreciated.

Prev by Date: SRT2003-11-13-0218 - PCAnywhere local SYSTEM exploit
Next by Date: Webwasher Classic Error-Message XSS Vulnerability
Previous by thread: SRT2003-11-13-0218 - PCAnywhere local SYSTEM exploit
Next by thread: Webwasher Classic Error-Message XSS Vulnerability
Index(es):
- Date
- Thread