Fix user enumeration vulnerability

Apply upstream patch to delay bailout for invalid authenticating user until after the packet containing the request has been fully parsed. Closes: #906236
author: Colin Watson <cjwatson@debian.org> 2018-08-17 12:28:26 +0100
committer: Colin Watson <cjwatson@debian.org> 2018-08-17 12:31:27 +0100
commit: 4641c58a3279f6b118f9562babaa0ee050a38619 (patch)
tree: 87718b668ec8a737c1729ee568207c2a384f6d61 /auth2-pubkey.c
parent: daf34b85afe25c10fac13e9cff16b25c3e3914e9 (diff)
parent: c4ca1497658e0508e8595ad74978c07bc92a18e3 (diff)
1 files changed, 14 insertions, 9 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 8024b1d6a..a9272b97f 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -89,19 +89,15 @@ userauth_pubkey(struct ssh *ssh)
 {
        Authctxt *authctxt = ssh->authctxt;
        struct passwd *pw = authctxt->pw;
-        struct sshbuf *b;
+        struct sshbuf *b = NULL;
        struct sshkey *key = NULL;
-        char *pkalg, *userstyle = NULL, *key_s = NULL, *ca_s = NULL;
+        char *pkalg = NULL, *userstyle = NULL, *key_s = NULL, *ca_s = NULL;
-        u_char *pkblob, *sig, have_sig;
+        u_char *pkblob = NULL, *sig = NULL, have_sig;
        size_t blen, slen;
        int r, pktype;
        int authenticated = 0;
        struct sshauthopt *authopts = NULL;
-        if (!authctxt->valid) {
-                debug2("%s: disabled because of invalid user", __func__);
-                return 0;
-        }
        if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 ||
            (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 ||
            (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0)
@@ -168,6 +164,11 @@ userauth_pubkey(struct ssh *ssh)
                                fatal("%s: sshbuf_put_string session id: %s",
                                    __func__, ssh_err(r));
                }
+                if (!authctxt->valid || authctxt->user == NULL) {
+                        debug2("%s: disabled because of invalid user",
+                            __func__);
+                        goto done;
+                }
                /* reconstruct packet */
                xasprintf(&userstyle, "%s%s%s", authctxt->user,
                    authctxt->style ? ":" : "",
@@ -184,7 +185,6 @@ userauth_pubkey(struct ssh *ssh)
 #ifdef DEBUG_PK
                sshbuf_dump(b, stderr);
 #endif
                /* test for correct signature */
                authenticated = 0;
                if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
@@ -193,7 +193,6 @@ userauth_pubkey(struct ssh *ssh)
                        authenticated = 1;
                }
                sshbuf_free(b);
-                free(sig);
                auth2_record_key(authctxt, authenticated, key);
        } else {
                debug("%s: test pkalg %s pkblob %s%s%s",
@@ -204,6 +203,11 @@ userauth_pubkey(struct ssh *ssh)
                if ((r = sshpkt_get_end(ssh)) != 0)
                        fatal("%s: %s", __func__, ssh_err(r));
+                if (!authctxt->valid || authctxt->user == NULL) {
+                        debug2("%s: disabled because of invalid user",
+                            __func__);
+                        goto done;
+                }
                /* XXX fake reply and always send PK_OK ? */
                /*
                 * XXX this allows testing whether a user is allowed
@@ -237,6 +241,7 @@ done:
        free(pkblob);
        free(key_s);
        free(ca_s);
+        free(sig);
        return authenticated;
 }
author	Colin Watson <cjwatson@debian.org>	2018-08-17 12:28:26 +0100
committer	Colin Watson <cjwatson@debian.org>	2018-08-17 12:31:27 +0100
commit	4641c58a3279f6b118f9562babaa0ee050a38619 (patch)
tree	87718b668ec8a737c1729ee568207c2a384f6d61 /auth2-pubkey.c
parent	daf34b85afe25c10fac13e9cff16b25c3e3914e9 (diff)
parent	c4ca1497658e0508e8595ad74978c07bc92a18e3 (diff)