Oh, wow, this is brutal. They're shelling out to a command line program to do authentication, and not catching the "-" metacharacter in the username they shell out with, so you can pass options to that program.
That's why I like DBJs method. You still use a command line program, but you pass a filehandle that the authentication data can be read from.. this seems much safer than trying to parse and re-format that data as an intermediary. Also avoids any data leaks through the often unprotected 'cmdline'.
Is there some technical reason OpenBSD doesn't do this?
Probably historic compatibility. If making a breaking change this might be a good time to implement a design benefiting from decades of real world experiences.
Fair point. I associate DJB with security and coding best practices, Javascript not so much. I can only hope the comment I replied to meant DJB the person.
This feels like an old school vulnerability. Things like this were the norm in the 90's and early 2000's. It feels weird to see an exploit like this now in a large and well known project, and very weird for it to be in OpenBSD.
It just goes to show, as a user you can make informed choices in what software to use to reduce your security exposure, but that's not enough. You still need to pay attention to new problems that might pop up. No software is guaranteed to be safe in perpetuity.
In a world where we harden all of the things and write code in memory safe languages maybe memory corruption will be the old school vulnerability and this type of thing will be all that is left
> They're shelling out to a command line program to do authentication
Interesting to track who exactly "they" might have been, as many commenters are saying this is uncharacteristic for OpenBSD.
Looking at the patch, the first OpenBSD commit of this file [1] is from 2000 and says "from BSDI" in the commit message, did fork()+execve() at that time, and the BSDI copyright comment says 1995-1997.
Probable to say more recent OpenBSD stuff is likely not written this way, but that they have baggage like this in the tree from earlier times.
There have been many bugs in NetBSD code that are found and fixed. Quite often these bugs are in code shared with OpenBSD, but you never see them list it as such, as they import said fixes from NetBSD.
> We thank Theo de Raadt and the OpenBSD developers for their incredibly quick response: they published patches for these vulnerabilities less than 40 hours after our initial contact.
“this vulnerability is remotely exploitable in
smtpd, ldapd, and radiusd, but its real-world impact should be studied
on a case-by-case basis. For example, sshd is not exploitable thanks to
its defense-in-depth mechanisms.”
> this vulnerability is remotely exploitable in smtpd, ldapd, and radiusd, but its real-world impact should be studied on a case-by-case basis. For example, sshd is not exploitable thanks to its defense-in-depth mechanisms.
Does this mean OpenBSD will have to update the tagline on their website that says "Only two remote holes in the default install, in a heck of a long time!"?
This is an extremely silly set of conditions to attach to "remote hole". You can litigate it, and maybe win the argument, but you're just bold-facing the asterisk that was already next to that already-tortured claim.
Show me, as the owner of the openbsd server, how to change the default configuration to suit a purpose that exceeds the very limited set of services enabled.
Most of the issues are classified as Local privilege escalation, and none of the daemons mentioned are enabled by default, sshd can be enabled in the installer, but as the quote says "sshd is not exploitable thanks to its defense-in-depth mechanisms."
Neither are mines. PF blocks everything from the beginning, and no service is listening remotely.
Heck, even for _outbound_ mail I have to create a rule for smtpd.conf.
Half of the HN commenters do not know OpenBSD at all.
Smtpd (one of the mentioned daemons) is started in a default install. It is configured to do local mail delivery and can queue up remote deliveries for programs running on the system. It only connects to localhost and does not authenticate so this exploit would be irrelevant. If one did open an authenticated mail connection on an interface accessible to the world then the exploit would allow the system to be used as a spam relay.
Added: Just to be clear, this doesn't give any significant access to the system itself through smtpd even if it is configured to be remotely accessible. So not a possible remote hole. Dunno about other stuff.
> back in the day, everyone adapted its config somehow.
Yeah I know, although I don't remember coming across Tavis's config I did live through those heady days of customizing window managers and remember them with fondness. [Although that screenshot has emails dated 2006, which puts it well after that culture had peaked.]
I actually started using fvwm2 again recently on one of my machines, I am not sure why, maybe I had some nostalgia for that time period.
I had a tweaked fvwm2 from OpenBSD's vanilla setup, but nowadaws the less code I type and debug, the better. That's why I use cwm and I almost never code in C or strip unneded settings, everything else is scripted with good enough performance.
Back in the day I patched dwm and then Surf to enable WebGL among other nice stuff thanks to gobject being brain-damagedly easy.
Nowadays I am too lazy: cwm, tmux, mpg123, mpv+ytdl, vimb/iridium, UBo, Vimium, HTTPS ev, Priv badger, and I call it a day.
This discussion comes up a lot, and I'd make an opposing case. Rather than debating whether OpenBSD can reasonably say this - I'd suggest most Linux distributions could say it themselves if they so wanted.
Last time I installed CentOS the only port open on the firewall by default with OpenSSH after all.
Yes, patch as often as you can but I note that link you provide looks like a local priv. escalation, ie you have to be able to login to the box in some way.
This OBSD bug is externally exploitable.
Why did you single out an obscure Linux bug? There are quite a few other OSs available apart from OBSD.
"Default install" would be the key phrase here. By that metric, no need to update the tagline; smtpd doesn't do much by default, and SSH has other safeguards, so apparently a default install wouldn't be substantially impacted.
Still sucks for those of us who, you know, actually use smtpd on OpenBSD as a mail server. Thankfully it's just my personal one and I can afford to comment out the line(s) that actually enable outbound SMTP relaying, but still.
As long as you override a default PF install, go on. Because you can't. Even with a PF rule being set, you must set up smtpd.conf right.
Also no ldapd and radiusd is listening by default, and SSHD is secure by itself. And you are asked in the first install if you want to enable it at boot, btw.
Worth noting that this vuln passes you through authentication as an almost certainly invalid user - I expect the devs to put in more username validity checks, like the one ssh has, to mitigate this class of issues in the future.
(The second vuln listed is less sexy but escalates you to a real group.)
Oh true, I forgot that. Still the bug is not remotely exploitable, but I always wanted to send Xlock to /dev/null and propose a patched slock as an alternative. If OpenBSD got evilwm/cwm in base, why not slock? If the problem is the lack of keypresses' feedback on the screen, that could be solved in a easy way.
Yikes. This one just turned my mail server into an open relay (assuming any would-be attackers picked up on it running smtpd). Went ahead and shut off outbound mail delivery (so smtpd only accepts mail destined for my domain) until I can get this patched.
Kudos to the OpenBSD folks for getting a patch whipped up so quick, and thankfully SSH ain't affected, but Jesus.
So... are they gonna update the OpenBSD webpage to say "only three remote vulnerabilities in a heck of a long time?" Do these bugs represent a vulnerability to real systems deployed in the wild, or are they more of a theoretical threat?
92 comments
[ 3.6 ms ] story [ 146 ms ] threadIn case syspatch doesn't appear to do anything, check your /etc/updateurl, set it to the OpenBSD CDN, then run again.
Is there some technical reason OpenBSD doesn't do this?
starting with binary compatibility
with Linux and a lot of legacy stuff
which came from NetBSD and BSD 4.4 lite/BSD 4.3.
You described OpenBSD with that comment.
- Xenocara with rootless privileges as a fork of X
- LibreSSL
- Linux compat going away
- Pledge/Unveil
- Some daemons belonging to ports
- HTTPD/SMTPD and so on as replacement of bloated daemons
- OpenSSH itself
- Retguard
This vulnerability is bad, but pledge
and unveil will have even
more prominent roles in base soon, so even
if you get privs, you can do either nil or just crash because of pledge.
Seriously, how many other people make contributions in areas ranging all the way from number theory to hand-written machine code?
Here's the link to his website: https://cr.yp.to/djb.html
It just goes to show, as a user you can make informed choices in what software to use to reduce your security exposure, but that's not enough. You still need to pay attention to new problems that might pop up. No software is guaranteed to be safe in perpetuity.
Interesting to track who exactly "they" might have been, as many commenters are saying this is uncharacteristic for OpenBSD.
Looking at the patch, the first OpenBSD commit of this file [1] is from 2000 and says "from BSDI" in the commit message, did fork()+execve() at that time, and the BSDI copyright comment says 1995-1997.
Probable to say more recent OpenBSD stuff is likely not written this way, but that they have baggage like this in the tree from earlier times.
[1] https://cvsweb.openbsd.org/src/lib/libc/gen/auth_subr.c?rev=...
edited: make verb plural.
Awesome.
Lame.
Not using some form of shell escape in the first place, or knowing that they should?
Very lame.
“this vulnerability is remotely exploitable in smtpd, ldapd, and radiusd, but its real-world impact should be studied on a case-by-case basis. For example, sshd is not exploitable thanks to its defense-in-depth mechanisms.”
Edit: formatting.
Does this mean OpenBSD will have to update the tagline on their website that says "Only two remote holes in the default install, in a heck of a long time!"?
- Login with no SSH account
- Enable SSH
- Change PF rules
- Change the smtpd config
- Enable radiusd/ldapd without being root
- Running Xenocara's xlock when is not available on servers and I have no permissions
Can you exploit a bare OpenBSD install by default remotely, yes or not?
Everything else is bullshit.
And sshd is, by default:
- not exploitable by this bug
- PF rules are not set for incoming connections
The X issue. By default:
- PF doesn't accept any connection to X ports to
anything not coming from lo0, localhost interface
Smtpd. By default:
- it just listens on localhost
- there is no forwarding
- PF rules aren't enabled
So, no. Still holds.
Worth pointing that Linux has had a rough week as well, this one is pretty bad: https://www.openwall.com/lists/oss-security/2019/12/02/2
Patch your systems.
Added: Just to be clear, this doesn't give any significant access to the system itself through smtpd even if it is configured to be remotely accessible. So not a possible remote hole. Dunno about other stuff.
http://taviso.decsystem.org/img/screenshot.png
I am not trolling, he was cheered a lot
back in the day, everyone adapted
its config somehow.
Yeah I know, although I don't remember coming across Tavis's config I did live through those heady days of customizing window managers and remember them with fondness. [Although that screenshot has emails dated 2006, which puts it well after that culture had peaked.]
I actually started using fvwm2 again recently on one of my machines, I am not sure why, maybe I had some nostalgia for that time period.
Back in the day I patched dwm and then Surf to enable WebGL among other nice stuff thanks to gobject being brain-damagedly easy.
Nowadays I am too lazy: cwm, tmux, mpg123, mpv+ytdl, vimb/iridium, UBo, Vimium, HTTPS ev, Priv badger, and I call it a day.
Last time I installed CentOS the only port open on the firewall by default with OpenSSH after all.
This OBSD bug is externally exploitable.
Why did you single out an obscure Linux bug? There are quite a few other OSs available apart from OBSD.
https://www.openwall.com/lists/oss-security/2019/12/
Still sucks for those of us who, you know, actually use smtpd on OpenBSD as a mail server. Thankfully it's just my personal one and I can afford to comment out the line(s) that actually enable outbound SMTP relaying, but still.
Also is this going to increment the "X remote vulnerabilities in X years"?
Also no ldapd and radiusd is listening by default, and SSHD is secure by itself. And you are asked in the first install if you want to enable it at boot, btw.
(The second vuln listed is less sexy but escalates you to a real group.)
Most servers will not install Xenocara at all in order to avoid
most security and space issues, as a lot of them now are using
vmm(4) for testing purposes.
Also as xlock moved upsteeam, OpenBSD will stop importing xlock
and maybe the will implement a patched and pledge(4)d slock (with
some features such as passwd display as asterisks) as the
Xenocara's workstation locker.
If would not be weird at all. Today the default wm is FVWM because
of historical respect to BSD's/Unix, but the most common WM used
by OpenBSD fans is, by far, CWM, which came from evilwm.
As Xenocara was already a fork of X, having a patched slock as
"xenolock" would be the next logical step.
Because xlock(4) is a shitty security fest by itself. Not to
blame the OpenBSD developers, but the main project. It's full of
features and slock matches better the OpenBSD's philosophy.
Even mgba got patched.
I woudn't call that as "don't use it for anything".
OpenBSD Amsterdam (A well known provider in the circle of OpenBSD users) doesn't enable X by default on its autoinstall file:
https://openbsd.amsterdam/setup.html
EDIT: It enables xbase.tgz but not the rest.
They've even threatened to make just one big set since too many people are not installing all of them and then come ask for help .
https://marc.info/?t=156851721400002&r=1&w=2
Kudos to the OpenBSD folks for getting a patch whipped up so quick, and thankfully SSH ain't affected, but Jesus.
But it was close :)
[1]http://seclab.cs.ucdavis.edu/projects/testing/vulner/18.html
[2]https://www.symantec.com/security_response/attacksignatures/...