Oh, wow, this is brutal. They're shelling out to a command line program to do authentication, and not catching the "-" metacharacter in the username they shell out with, so you can pass options to that program.
That's why I like DBJs method. You still use a command line program, but you pass a filehandle that the authentication data can be read from.. this seems much safer than trying to parse and re-format that data as an intermediary. Also avoids any data leaks through the often unprotected 'cmdline'.
Is there some technical reason OpenBSD doesn't do this?
Probably historic compatibility. If making a breaking change this might be a good time to implement a design benefiting from decades of real world experiences.
Fair point. I associate DJB with security and coding best practices, Javascript not so much. I can only hope the comment I replied to meant DJB the person.
This feels like an old school vulnerability. Things like this were the norm in the 90's and early 2000's. It feels weird to see an exploit like this now in a large and well known project, and very weird for it to be in OpenBSD.
It just goes to show, as a user you can make informed choices in what software to use to reduce your security exposure, but that's not enough. You still need to pay attention to new problems that might pop up. No software is guaranteed to be safe in perpetuity.
In a world where we harden all of the things and write code in memory safe languages maybe memory corruption will be the old school vulnerability and this type of thing will be all that is left
> They're shelling out to a command line program to do authentication
Interesting to track who exactly "they" might have been, as many commenters are saying this is uncharacteristic for OpenBSD.
Looking at the patch, the first OpenBSD commit of this file [1] is from 2000 and says "from BSDI" in the commit message, did fork()+execve() at that time, and the BSDI copyright comment says 1995-1997.
Probable to say more recent OpenBSD stuff is likely not written this way, but that they have baggage like this in the tree from earlier times.
There have been many bugs in NetBSD code that are found and fixed. Quite often these bugs are in code shared with OpenBSD, but you never see them list it as such, as they import said fixes from NetBSD.
> We thank Theo de Raadt and the OpenBSD developers for their incredibly quick response: they published patches for these vulnerabilities less than 40 hours after our initial contact.
“this vulnerability is remotely exploitable in
smtpd, ldapd, and radiusd, but its real-world impact should be studied
on a case-by-case basis. For example, sshd is not exploitable thanks to
its defense-in-depth mechanisms.”
> this vulnerability is remotely exploitable in smtpd, ldapd, and radiusd, but its real-world impact should be studied on a case-by-case basis. For example, sshd is not exploitable thanks to its defense-in-depth mechanisms.
Does this mean OpenBSD will have to update the tagline on their website that says "Only two remote holes in the default install, in a heck of a long time!"?
This is an extremely silly set of conditions to attach to "remote hole". You can litigate it, and maybe win the argument, but you're just bold-facing the asterisk that was already next to that already-tortured claim.
Show me, as the owner of the openbsd server, how to change the default configuration to suit a purpose that exceeds the very limited set of services enabled.
Most of the issues are classified as Local privilege escalation, and none of the daemons mentioned are enabled by default, sshd can be enabled in the installer, but as the quote says "sshd is not exploitable thanks to its defense-in-depth mechanisms."
Neither are mines. PF blocks everything from the beginning, and no service is listening remotely.
Heck, even for _outbound_ mail I have to create a rule for smtpd.conf.
Half of the HN commenters do not know OpenBSD at all.
Smtpd (one of the mentioned daemons) is started in a default install. It is configured to do local mail delivery and can queue up remote deliveries for programs running on the system. It only connects to localhost and does not authenticate so this exploit would be irrelevant. If one did open an authenticated mail connection on an interface accessible to the world then the exploit would allow the system to be used as a spam relay.
Added: Just to be clear, this doesn't give any significant access to the system itself through smtpd even if it is configured to be remotely accessible. So not a possible remote hole. Dunno about other stuff.
> back in the day, everyone adapted its config somehow.
Yeah I know, although I don't remember coming across Tavis's config I did live through those heady days of customizing window managers and remember them with fondness. [Although that screenshot has emails dated 2006, which puts it well after that culture had peaked.]
I actually started using fvwm2 again recently on one of my machines, I am not sure why, maybe I had some nostalgia for that time period.
I had a tweaked fvwm2 from OpenBSD's vanilla setup, but nowadaws the less code I type and debug, the better. That's why I use cwm and I almost never code in C or strip unneded settings, everything else is scripted with good enough performance.
Back in the day I patched dwm and then Surf to enable WebGL among other nice stuff thanks to gobject being brain-damagedly easy.
Nowadays I am too lazy: cwm, tmux, mpg123, mpv+ytdl, vimb/iridium, UBo, Vimium, HTTPS ev, Priv badger, and I call it a day.
This discussion comes up a lot, and I'd make an opposing case. Rather than debating whether OpenBSD can reasonably say this - I'd suggest most Linux distributions could say it themselves if they so wanted.
Last time I installed CentOS the only port open on the firewall by default with OpenSSH after all.
Yes, patch as often as you can but I note that link you provide looks like a local priv. escalation, ie you have to be able to login to the box in some way.
This OBSD bug is externally exploitable.
Why did you single out an obscure Linux bug? There are quite a few other OSs available apart from OBSD.
"Default install" would be the key phrase here. By that metric, no need to update the tagline; smtpd doesn't do much by default, and SSH has other safeguards, so apparently a default install wouldn't be substantially impacted.
Still sucks for those of us who, you know, actually use smtpd on OpenBSD as a mail server. Thankfully it's just my personal one and I can afford to comment out the line(s) that actually enable outbound SMTP relaying, but still.
As long as you override a default PF install, go on. Because you can't. Even with a PF rule being set, you must set up smtpd.conf right.
Also no ldapd and radiusd is listening by default, and SSHD is secure by itself. And you are asked in the first install if you want to enable it at boot, btw.
Worth noting that this vuln passes you through authentication as an almost certainly invalid user - I expect the devs to put in more username validity checks, like the one ssh has, to mitigate this class of issues in the future.
(The second vuln listed is less sexy but escalates you to a real group.)
Oh true, I forgot that. Still the bug is not remotely exploitable, but I always wanted to send Xlock to /dev/null and propose a patched slock as an alternative. If OpenBSD got evilwm/cwm in base, why not slock? If the problem is the lack of keypresses' feedback on the screen, that could be solved in a easy way.
Yikes. This one just turned my mail server into an open relay (assuming any would-be attackers picked up on it running smtpd). Went ahead and shut off outbound mail delivery (so smtpd only accepts mail destined for my domain) until I can get this patched.
Kudos to the OpenBSD folks for getting a patch whipped up so quick, and thankfully SSH ain't affected, but Jesus.
So... are they gonna update the OpenBSD webpage to say "only three remote vulnerabilities in a heck of a long time?" Do these bugs represent a vulnerability to real systems deployed in the wild, or are they more of a theoretical threat?
reply