Hello, welcome to the Friday, December 6th, 2019 edition of the Santernet Storm Center's Stormcast.

My name is Johannes Ulrich and I'm recording from San Francisco, California.

OpenBST has always had a reputation for very good security controls and thorough reviews of its features, often foregoing some

more advanced features for enhanced security. It's therefore somewhat surprising to find a

fairly easy authentication bypass in OpenBSD. The problem here is how users and passwords or authentication

credentials more generically are being validated. This is done using login underscore style and the

username is passed as a command line argument, but not properly escape,

meaning that if a username starts with dash s challenge, this is actually interpreted as a

command line parameter for login underscore style and can be used to bypass the login username and password check.

This can be trivially exploited against a number of different demons on OpenPSD, SMTPD, LDAB, the RadiusD, as well as S-S-H-D, which is probably the most critical here.

Also, SU, which then can lead to approach escalation, can be exploited using this trick.

This vulnerability was made public by Qualis and well since it's so trivial

really to exploit, proof-of-concept exploits have been made available by Qualis.

Qualis also found three other privilege escalation vulnerabilities in OpenBSD that have also been made public.

Qualis has reported these vulnerabilities to the OpenBSD team and within 40 hours of reporting

the vulnerability, OpenBSD has released an update addressing these issues.

And we also got an interesting vulnerability affecting several Linux and BSD distributions

that would allow a net hacker to learn some information about a VPN connection terminated

at that particular system.

Now, in order to exploit this vulnerability, the attacker has to be located within the same

network as the victim.

So, for example, I'm here at a hotel connected to the hotel's Wi-Fi network,

...