SSH Exploit Revealed (fwd)

Jay plug-discuss@lists.plug.phoenix.az.us
Wed, 26 Jun 2002 09:06:22 -0700 (MST)


*** OpenSSH Remote Root Exploit ***

Hey all. I just sent this to AZIPA and considering the severe impact of a
remote root exploit, and the fact that many of you are probably running
OpenSSH, I thought I'd forward it to PLUG too. Details below:

-- 
~Jay



---------- Forwarded message ----------
Date: Wed, 26 Jun 2002 09:04:33 -0700 (MST)
From: Jay <jay@edgeos.com>
To: AZIPA <azipa@yahoogroups.com>
Subject: SSH Exploit Revealed


*REMEMBER* OpenSSH is included in many products - you may be running it
and not even know it. If any of your equipment (routers, servers,
switches, toasters, etc...) supports secure remote login/management, then
chances are you're using some form of SSH.

There is a vulnerability in OpenSSH that allows an attacker to *remotely*
gain root/administrator/super-user (full control) over the system.

EdgeSecure already performs a test for this vulnerability - Threat
ID# 11031 - http://www.edgeos.com/threats/details.php?id=11031
An EdgeSecure Advanced Scan (http://www.edgeos.com) will quickly test any
of your systems for this security threat.

I have included the official OpenSSH advisory notice below. If you *are*
vulnerable to this threat, you should implement the solutions described
below. If your version of SSH is embedded in a device (like a router or
some vendor's server management software, for example), then you should
contact your vendor *immediately* for a patch.

-- 

== Jay Jacobson
== Edgeos, Inc. - Security is Critical - http://www.edgeos.com
== We help you to easily get control of your network's security.
== ...or some hacker can just take control instead. You decide.


--- OpenSSH Advisory ---


Subject: OpenSSH Security Advisory (adv.iss)

1. Versions affected:

        All versions of OpenSSH's sshd between 2.9.9 and 3.3
        contain an input validation error that can result in
        an integer overflow and privilege escalation.

        OpenSSH 3.4 and later are not affected.

        OpenSSH 3.2 and later prevent privilege escalation
        if UsePrivilegeSeparation is enabled in sshd_config.
        OpenSSH 3.3 enables UsePrivilegeSeparation by
        default.

        Although OpenSSH 2.9 and earlier are not affected
        upgrading to OpenSSH 3.4 is recommended, because
        OpenSSH 3.4 adds checks for a class of potential bugs.

2. Impact:

        This bug can be exploited remotely if
        ChallengeResponseAuthentication is enabled in sshd_config.

	Affected are at least systems supporting
	s/key over SSH protocol version 2 (OpenBSD, FreeBSD
	and NetBSD as well as other systems supporting
	s/key with SSH).  Exploitablitly of systems
	using PAM in combination has not been verified.

3. Short-Term Solution:

        Disable ChallengeResponseAuthentication in sshd_config.

	or

        Enable UsePrivilegeSeparation in sshd_config.

4. Solution:

	Upgrade to OpenSSH 3.4 or apply the following patches.

5. Credits:

	ISS.

Appendix:

A:

Index: auth2-chall.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v
retrieving revision 1.18
diff -u -r1.18 auth2-chall.c
--- auth2-chall.c	19 Jun 2002 00:27:55 -0000	1.18
+++ auth2-chall.c	26 Jun 2002 09:37:03 -0000
@@ -256,6 +256,8 @@

 	authctxt->postponed = 0;	/* reset */
 	nresp = packet_get_int();
+	if (nresp > 100)
+		fatal("input_userauth_info_response: nresp too big %u",
nresp);
 	if (nresp > 0) {
 		response = xmalloc(nresp * sizeof(char*));
 		for (i = 0; i < nresp; i++)

B:

Index: auth2-pam.c
===================================================================
RCS file: /var/cvs/openssh/auth2-pam.c,v
retrieving revision 1.12
diff -u -r1.12 auth2-pam.c
--- auth2-pam.c	22 Jan 2002 12:43:13 -0000	1.12
+++ auth2-pam.c	26 Jun 2002 10:12:31 -0000
@@ -140,6 +140,15 @@
 	nresp = packet_get_int();	/* Number of responses. */
 	debug("got %d responses", nresp);

+
+	if (nresp != context_pam2.num_expected)
+		fatal("%s: Received incorrect number of responses "
+		    "(expected %u, received %u)", __func__, nresp,
+		    context_pam2.num_expected);
+
+	if (nresp > 100)
+		fatal("%s: too many replies", __func__);
+
 	for (i = 0; i < nresp; i++) {
 		int j = context_pam2.prompts[i];

------------