Package: rssh Version: 2.3.2-12 Severity: important
Coin,While testing if my configuration was ok, i just tried a simple interactive SSH and got a crash. The account has only access to rsync without chrooting.
Trace: ----------------------------------------------------------------------------- [...] Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sat Oct 23 20:58:52 2010 from 2001:7a8:810:114::3 This account is restricted by rssh. Allowed commands: rsync If you believe this is in error, please contact your system administrator.*** glibc detected *** -rssh: malloc(): memory corruption: 0x0000000001f537b0 ***
======= Backtrace: ========= /lib/libc.so.6(+0x71ad6)[0x7fd98d4b5ad6] /lib/libc.so.6(+0x74b6d)[0x7fd98d4b8b6d] /lib/libc.so.6(__libc_malloc+0x70)[0x7fd98d4ba930] -rssh[0x403123] -rssh[0x4035bb] -rssh[0x404178] /lib/libc.so.6(__libc_start_main+0xfd)[0x7fd98d462c4d] -rssh[0x401019] ======= Memory map: ========00400000-00406000 r-xp 00000000 08:11 195596 /usr/bin/rssh 00606000-00607000 rw-p 00006000 08:11 195596 /usr/bin/rssh 01f53000-01f74000 rw-p 00000000 00:00 0 [heap]
7fd988000000-7fd988021000 rw-p 00000000 00:00 0 7fd988021000-7fd98c000000 ---p 00000000 00:00 07fd98d22e000-7fd98d244000 r-xp 00000000 08:11 1058767 /lib/libgcc_s.so.1 7fd98d244000-7fd98d443000 ---p 00016000 08:11 1058767 /lib/libgcc_s.so.1 7fd98d443000-7fd98d444000 rw-p 00015000 08:11 1058767 /lib/libgcc_s.so.1 7fd98d444000-7fd98d59c000 r-xp 00000000 08:11 1059002 /lib/libc-2.11.2.so 7fd98d59c000-7fd98d79b000 ---p 00158000 08:11 1059002 /lib/libc-2.11.2.so 7fd98d79b000-7fd98d79f000 r--p 00157000 08:11 1059002 /lib/libc-2.11.2.so 7fd98d79f000-7fd98d7a0000 rw-p 0015b000 08:11 1059002 /lib/libc-2.11.2.so
7fd98d7a0000-7fd98d7a5000 rw-p 00000000 00:00 07fd98d7a5000-7fd98d7c3000 r-xp 00000000 08:11 1058957 /lib/ld-2.11.2.so
7fd98d9b2000-7fd98d9b5000 rw-p 00000000 00:00 0 7fd98d9c0000-7fd98d9c2000 rw-p 00000000 00:00 07fd98d9c2000-7fd98d9c3000 r--p 0001d000 08:11 1058957 /lib/ld-2.11.2.so 7fd98d9c3000-7fd98d9c4000 rw-p 0001e000 08:11 1058957 /lib/ld-2.11.2.so
7fd98d9c4000-7fd98d9c5000 rw-p 00000000 00:00 07fff07a87000-7fff07a9c000 rw-p 00000000 00:00 0 [stack] 7fff07ba8000-7fff07ba9000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Connection to xxx closed. -----------------------------------------------------------------------------I rebuilt rssh with symbols, but the way glibc generate the trace seems to ignore them. So i loggued as the involved user with a forced shell, and generated a trace with gdb:
----------------------------------------------------------------------------- Program received signal SIGABRT, Aborted.0x00007ffff7ab0165 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64 ../nptl/sysdeps/unix/sysv/linux/raise.c: Permission denied.
in ../nptl/sysdeps/unix/sysv/linux/raise.c
(gdb) bt
#0 0x00007ffff7ab0165 in *__GI_raise (sig=<value optimized out>)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1 0x00007ffff7ab2f70 in *__GI_abort () at abort.c:92
#2 0x00007ffff7ae627b in __libc_message (do_abort=<value optimized
out>, fmt=<value optimized out>)
at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
#3 0x00007ffff7aefad6 in malloc_printerr (action=3,
str=0x7ffff7ba3bd0 "malloc(): memory corruption",
ptr=<value optimized out>) at malloc.c:6267
#4 0x00007ffff7af2b6d in _int_malloc (av=0x7ffff7ddae40, bytes=<value
optimized out>) at malloc.c:4396
#5 0x00007ffff7af4930 in *__GI___libc_malloc (bytes=90) at malloc.c:3661#6 0x0000000000403123 in log_msg (msg=0x4050b0 "user %s attempted to log in with a shell") at log.c:150 #7 0x00000000004035bb in fail (flags=16, argc=1, argv=0x7fffffffe658) at util.c:115
#8 0x0000000000404178 in main (argc=1, argv=0x7fffffffe658) at main.c:133 ----------------------------------------------------------------------------- As this might open a security hole, i choose to bump the severity a bit. Regards. -- Marc Dequènes (Duck)
pgpYcVZPLabNz.pgp
Description: PGP Digital Signature
