Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto/ssh: Corrupting a byte of a clients private key results in panic, rather than authorization failure #42014

Closed
elansys-kc opened this issue Oct 16, 2020 · 1 comment
Closed

x/crypto/ssh: Corrupting a byte of a clients private key results in panic, rather than authorization failure #42014

elansys-kc opened this issue Oct 16, 2020 · 1 comment
Labels
FrozenDueToAge
Milestone
Unreleased

Comments

@elansys-kc
Copy link

What version of Go are you using (go version)?

go version go1.15.3 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/kc/.cache/go-build"
GOENV="/home/kc/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/kc/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/kc/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go-1.15"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go-1.15/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="0"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build800146455=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Corrupted a byte in the read key, expecting an authorization failure.

func SSHBug() error {

	keyFile := "/home/kc/.ssh/test_ecdsa"
	key, err := ioutil.ReadFile(keyFile)
	if err != nil {
		log.Fatalf("unable to read private key: %v", err)
	}
	log.Print("Key Size ", len(key))
	key[200] = 0x0e
	signer, err := ssh.ParsePrivateKey(key)
	cred := ssh.PublicKeys(signer)

	config := &ssh.ClientConfig{
		User: "testSSH",
		Auth: []ssh.AuthMethod{
			cred,
		},
		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
	}

	conn, err := ssh.Dial("tcp", "10.192.170.1:443", config)
	if err != nil {
		log.Print(err)
		return err
	}
	defer conn.Close()
	return err
}

What did you expect to see?

Failed authorization like when using an uncorrupted but unauthorized key

What did you see instead?

elansftp.go:162: Key Size 756
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x57b435]

goroutine 1 [running]:
golang.org/x/crypto/ssh.publicKeyCallback.auth(0xc00009cb20, 0xc0000186e0, 0x20, 0x20, 0x5f0da6, 0x7, 0x62af20, 0xc000066000, 0x6290e0, 0xc000086540, ...)
/home/kc/go/src/golang.org/x/crypto/ssh/client_auth.go:204 +0xd5
golang.org/x/crypto/ssh.(*connection).clientAuthenticate(0xc000060080, 0xc00005c000, 0x0, 0xa)
/home/kc/go/src/golang.org/x/crypto/ssh/client_auth.go:44 +0x343
golang.org/x/crypto/ssh.(*connection).clientHandshake(0xc000060080, 0x5f2934, 0x10, 0xc00005c000, 0x0, 0x0)
/home/kc/go/src/golang.org/x/crypto/ssh/client.go:113 +0x2c5
golang.org/x/crypto/ssh.NewClientConn(0x62c5c0, 0xc00000e010, 0x5f2934, 0x10, 0xc000041e80, 0x62c5c0, 0xc00000e010, 0x0, 0x0, 0x5c8001, ...)
/home/kc/go/src/golang.org/x/crypto/ssh/client.go:83 +0xf8
golang.org/x/crypto/ssh.Dial(0x5f051c, 0x3, 0x5f2934, 0x10, 0xc000041e80, 0x629140, 0xc000084730, 0xb)
/home/kc/go/src/golang.org/x/crypto/ssh/client.go:177 +0xbb
main.SSHBug(0x0, 0x0)
/home/kc/code/Experiments/GoSSHTest/elansftp.go:175 +0x31d
main.main()
/home/kc/code/Experiments/GoSSHTest/elansftp.go:280 +0x3b
@gopherbot gopherbot added this to the Unreleased milestone Oct 16, 2020
@elansys-kc
Copy link
Author

signer is nil as I missed the error check following this line:
signer, err := ssh.ParsePrivateKey(key)

Apologies

@golang golang locked and limited conversation to collaborators Oct 16, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
2 participants
@gopherbot @elansys-kc