Subject: [libssh2] #302: libssh2_session_handshake bug?

[libssh2] #302: libssh2_session_handshake bug?

From: libssh2 Trac <trac_at_libssh2.stuge.se>
Date: Tue, 14 Apr 2015 09:29:37 -0000

#302: libssh2_session_handshake bug?
--------------------+--------------------
 Reporter: 5m0k3 | Owner:
     Type: defect | Status: new
 Priority: normal | Milestone: 1.5.0
Component: crypto | Version: 1.5.0
 Keywords: | Blocked By:
   Blocks: |
--------------------+--------------------
 Hello, I was working on a password auditing tool using libssh2 and
 encountered the following issue when using with pthread.

 GDB output:

 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
 Core was generated by `./dm domains.txt user pass 500'.
 Program terminated with signal SIGSEGV, Segmentation fault.
 #0 0x00007ff0eaa3bbdc in ?? () from /lib/x86_64-linux-
 gnu/libcrypto.so.1.0.0
 (gdb) bt
 #0 0x00007ff0eaa3bbdc in ?? () from /lib/x86_64-linux-
 gnu/libcrypto.so.1.0.0
 #1 0xca62c1d6ca62c1d6 in ?? ()
 #2 0xca62c1d6ca62c1d6 in ?? ()
 #3 0xca62c1d6ca62c1d6 in ?? ()
 #4 0xca62c1d6ca62c1d6 in ?? ()
 #5 0xca62c1d6ca62c1d6 in ?? ()
 #6 0xca62c1d6ca62c1d6 in ?? ()
 #7 0xca62c1d6ca62c1d6 in ?? ()
 #8 0xca62c1d6ca62c1d6 in ?? ()
 #9 0x00007ff0eada8810 in ?? () from /lib/x86_64-linux-
 gnu/libcrypto.so.1.0.0
 #10 0x00007feeb000e400 in ?? ()
 #11 0x000000000000000f in ?? ()
 #12 0x00007ff0eaa3811f in SHA1_Update () from /lib/x86_64-linux-
 gnu/libcrypto.so.1.0.0
 #13 0x00007ff0eaab76ef in ?? () from /lib/x86_64-linux-
 gnu/libcrypto.so.1.0.0
 #14 0x00007ff0eaa6d72c in ?? () from /lib/x86_64-linux-
 gnu/libcrypto.so.1.0.0
 #15 0x00007ff0eb399f8a in diffie_hellman_sha1 () from
 /usr/lib/libssh2.so.1
 #16 0x00007ff0eb39c197 in
 kex_method_diffie_hellman_group14_sha1_key_exchange () from
 /usr/lib/libssh2.so.1
 #17 0x00007ff0eb39e1ad in _libssh2_kex_exchange () from
 /usr/lib/libssh2.so.1
 #18 0x00007ff0eb3a6c6e in session_startup () from /usr/lib/libssh2.so.1
 #19 0x00007ff0eb3a6efd in libssh2_session_handshake () from
 /usr/lib/libssh2.so.1
 #20 0x0000000000402023 in verhost (hostname=0x25f1700 "be-still.info",
 username=0x2560400 "be-still", password=0x25c1590 "be-still") at dm.c:248
 #21 0x00000000004021e2 in worker_thread (worker=0x1f2) at dm.c:287
 #22 0x00007ff0eb179182 in start_thread (arg=0x7fefb2fc1700) at
 pthread_create.c:312
 #23 0x00007ff0eaea647d in clone () at
 ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
 (gdb) frame 20
 #20 0x0000000000402023 in verhost (hostname=0x25f1700 "be-still.info",
 username=0x2560400 "be-still", password=0x25c1590 "be-still") at dm.c:248
 248 rc = libssh2_session_handshake(session, sockfd);
 (gdb)

 Here is the code for function causing problems:

 static int verhost(char *hostname, char *username, char *password) {
         if(hostname == NULL) return -1;
         if(username == NULL) return -1;

         int sockfd, rc;
         long arg;

         struct addrinfo hints, *res;
         int errcode;

         memset (&hints, 0, sizeof (hints));
         hints.ai_family = PF_UNSPEC;
         hints.ai_socktype = SOCK_STREAM;
         hints.ai_flags |= AI_CANONNAME;

         errcode = getaddrinfo (hostname, "22", &hints, &res);
         if (errcode != 0) return -1;

         sockfd = socket(AF_INET, SOCK_STREAM, 0);

         arg = fcntl(sockfd, F_GETFL, NULL);
         arg |= O_NONBLOCK;
         fcntl(sockfd, F_SETFL, arg);

         if (sockfd < 0) goto shutend;

         if (connect(sockfd, res->ai_addr, res->ai_addrlen) < 0) {
                 if (errno == EINPROGRESS) {
                         fd_set write_fds;
                         memset(&write_fds, 0, sizeof(write_fds));
                         FD_ZERO(&write_fds);
                         FD_SET(sockfd, &write_fds);
                         struct timeval tv;
                         int valopt;
                         tv.tv_sec = 5;
                         tv.tv_usec = 0;
                         if (select(sockfd+1, NULL, &write_fds, NULL, &tv)
> 0) {
                                 socklen_t lon;
                                 lon = sizeof(int);
                                 getsockopt(sockfd, SOL_SOCKET, SO_ERROR,
 (void*)(&valopt), &lon);
                                 if (valopt) goto shutend;
                         }
                         else goto shutend;
                 }
                 else goto shutend;
         }

         LIBSSH2_SESSION *session = libssh2_session_init();
         if(!session) goto shutend;

         libssh2_session_set_timeout(session, 10000);
         if(libssh2_session_get_timeout(session) > 10000) goto shutnow;

         rc = libssh2_session_handshake(session, sockfd);
         if (rc) goto shutnow;

         rc = libssh2_userauth_password(session, username, password);
         if (rc) printf("[!] Weak Login: %s - %s/%s\n", hostname, username,
 password);
         else libssh2_session_disconnect(session, "Normal Shutdown");

 shutnow:
         libssh2_session_free(session);

 shutend:
         close(sockfd);
         freeaddrinfo(res);
         return -1;
 }

 Let me know if you need anything else or if I am using libssh2 in a wrong
 manner. Thanks. 

-- 
Ticket URL: <https://trac.libssh2.org/ticket/302>
libssh2 <https://trac.libssh2.org/>
C library for writing portable SSH2 clients
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2015-04-14