Memory write overflow in userauth_keyboard_interactive

[MarcoPoloPie]

Product
libssh2 library

Version
all

Date
2021-12-17

Vulnerability
libssh2 does not check userauth_kybd_auth_name_len which comes from a remote server and uses it as memcpy's argument. A remote attacker who compromises a SSH server may be able to crash the client when a user connects to the server.

PoC
https://gitee.com/zzixuan/libssh2-buffer-overflow-poc/tree/master/

Solution
Validate userauth_kybd_auth_name_len in advance.

[bagder]

First: you don't post suspected security flaws in the public. You hurt all users running this code.

Are you talking about this code?

libssh2/src/userauth.c

Lines 1769 to 1784 in 9990b38

	if(session->userauth_kybd_data_len >= 5) {
	/* string name (ISO-10646 UTF-8) */
	session->userauth_kybd_auth_name_len = _libssh2_ntohu32(s);
	s += 4;
	}
	else {
	_libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL,
	"userauth keyboard data buffer too small"
	"to get length");
	goto cleanup;
	}
	if(session->userauth_kybd_auth_name_len) {
	session->userauth_kybd_auth_name =
	LIBSSH2_ALLOC(session,
	session->userauth_kybd_auth_name_len);

I agree that blindly using the size is silly, but it does allocate a block with the given size before the copy is done. Is that not enough?

[bagder]

If the size is wrong, like too big, then the copy will indeed contain data from adjacent bytes in the packet and it will put that data into the memory area for userauth_kybd_auth_name - but I don't see how that makes it vulnerable, just wrong. It can of course lead to a crash, and thus this could possibly be used as a mild DOS. But then the server can always cause the client to disconnect...

[MarcoPoloPie]

Sorry for post poc first, and I've hidden the project. You are very right. The adjacent bytes can be copied to userauth_kybd_auth_name. This could be an info leak, but I think it can hardly be exploited because there are checks for the next fields, so the client would just exit or crash.

[LayZeeDK]

@MarcoPoloPie
Please refer to https://github.com/libssh2/libssh2/security/policy 🙂