Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/ssh: Corrupting a byte of a clients private key results in panic, rather than authorization failure #42014

Closed
elansys-kc opened this issue Oct 16, 2020 · 1 comment
Milestone

Comments

@elansys-kc
Copy link

@elansys-kc elansys-kc commented Oct 16, 2020

What version of Go are you using (go version)?

go version go1.15.3 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/kc/.cache/go-build"
GOENV="/home/kc/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/kc/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/kc/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go-1.15"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go-1.15/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="0"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build800146455=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Corrupted a byte in the read key, expecting an authorization failure.

func SSHBug() error {

	keyFile := "/home/kc/.ssh/test_ecdsa"
	key, err := ioutil.ReadFile(keyFile)
	if err != nil {
		log.Fatalf("unable to read private key: %v", err)
	}
	log.Print("Key Size ", len(key))
	key[200] = 0x0e
	signer, err := ssh.ParsePrivateKey(key)
	cred := ssh.PublicKeys(signer)

	config := &ssh.ClientConfig{
		User: "testSSH",
		Auth: []ssh.AuthMethod{
			cred,
		},
		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
	}

	conn, err := ssh.Dial("tcp", "10.192.170.1:443", config)
	if err != nil {
		log.Print(err)
		return err
	}
	defer conn.Close()
	return err
}

What did you expect to see?

Failed authorization like when using an uncorrupted but unauthorized key

What did you see instead?

elansftp.go:162: Key Size 756
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x57b435]

goroutine 1 [running]:
golang.org/x/crypto/ssh.publicKeyCallback.auth(0xc00009cb20, 0xc0000186e0, 0x20, 0x20, 0x5f0da6, 0x7, 0x62af20, 0xc000066000, 0x6290e0, 0xc000086540, ...)
/home/kc/go/src/golang.org/x/crypto/ssh/client_auth.go:204 +0xd5
golang.org/x/crypto/ssh.(*connection).clientAuthenticate(0xc000060080, 0xc00005c000, 0x0, 0xa)
/home/kc/go/src/golang.org/x/crypto/ssh/client_auth.go:44 +0x343
golang.org/x/crypto/ssh.(*connection).clientHandshake(0xc000060080, 0x5f2934, 0x10, 0xc00005c000, 0x0, 0x0)
/home/kc/go/src/golang.org/x/crypto/ssh/client.go:113 +0x2c5
golang.org/x/crypto/ssh.NewClientConn(0x62c5c0, 0xc00000e010, 0x5f2934, 0x10, 0xc000041e80, 0x62c5c0, 0xc00000e010, 0x0, 0x0, 0x5c8001, ...)
/home/kc/go/src/golang.org/x/crypto/ssh/client.go:83 +0xf8
golang.org/x/crypto/ssh.Dial(0x5f051c, 0x3, 0x5f2934, 0x10, 0xc000041e80, 0x629140, 0xc000084730, 0xb)
/home/kc/go/src/golang.org/x/crypto/ssh/client.go:177 +0xbb
main.SSHBug(0x0, 0x0)
/home/kc/code/Experiments/GoSSHTest/elansftp.go:175 +0x31d
main.main()
/home/kc/code/Experiments/GoSSHTest/elansftp.go:280 +0x3b

@gopherbot gopherbot added this to the Unreleased milestone Oct 16, 2020
@elansys-kc
Copy link
Author

@elansys-kc elansys-kc commented Oct 16, 2020

signer is nil as I missed the error check following this line:
signer, err := ssh.ParsePrivateKey(key)

Apologies

@elansys-kc elansys-kc closed this Oct 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.