[vox-tech] more on the remote ssh exploit
Peter Jay Salzman
vox-tech@lists.lugod.org
Fri, 30 Nov 2001 10:08:55 -0800
----- Forwarded message from Christian Jaeger <christian.jaeger@sl.ethz.ch> -----
Date: Fri, 30 Nov 2001 18:06:46 +0100
To: Dave Sherohman <esper@sherohman.org>,
Debian-User <debian-user@lists.debian.org>
From: Christian Jaeger <christian.jaeger@sl.ethz.ch>
Subject: Re: ssh exploit?
X-Mailing-List: <debian-user@lists.debian.org> archive/latest/183598
At 9:43 Uhr -0600 30.11.2001, Dave Sherohman wrote:
>Heard a rumor on the local LUG mailing list this morning about a
>remote root exploit in sshd. Nothing resembling details was
>presented, just a link to the openssh-unix-dev mailing list archive:
>
>http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100696253318793&w=2
>
>Anybody know anything of substance about it? Assuming it's real, are
>current debian versions affected? (I assume so, but don't have the
>exploit code to test it.)
The reply to the message from the given url indicates that the
exploit is using "the old bug in deattack.c".
A little research gave me:
<http://www.openssh.org/security.html>
* OpenSSH 2.3.0 and newer are not vulnerable to the "Feb 8, 2001:
SSH-1 Daemon CRC32 Compensation Attack Detector Vulnerability", RAZOR
Bindview Advisory CAN-2001-0144. A buffer overflow in the CRC32
compensation attack detector can lead to remote root access. This
problem has been fixed in OpenSSH 2.3.0. However, versions prior to
2.3.0 are vulnerable.
</openssh.org>
<http://razor.bindview.com/publish/advisories/adv_ssh1crc.html>
Issue Date: February 8, 2001
Remotely exploitable vulnerability condition exists in most ssh daemon
installations (F-SECURE, OpenSSH, SSH from ssh.com, OSSH).
Vulnerable:
OpenSSH prior to 2.3.0 (unless SSH protocol 1 support is disabled)
Not vulnerable:
OpenSSH 2.3.0 (problem fixed)
Overview:
An integer-overflow problem is present in common code of recent ssh
daemons, deattack.c, which was developed by CORE SDI to protect
against cryptographic attacks on SSH protocol.
Impact:
Insufficient range control calculations (16-bit unsigned variable is
used instead of 32-bit, which causes integer overflow) in the
detect_attack() function leads to table index overflow bug. This
effectively allows an attacker to overwrite arbitrary portions of
memory. The altered memory locations affect code that is executed by
the daemon with uid 0, and this can be leveraged to obtain general
root access to the system.
To reproduce this condition, run your sshd server on localhost under
gdb with '-d' switch (to avoid forking). Then try (using OpenSSH
client - ssh.com client software crops the login name):
$ ssh -v -l `perl -e '{print "A"x88000}'` localhost
</razor.bindview.com>
(I have tested the above (though without gdb/-d mode) and it doesn't
seem to be a problem.)
There has been a security fix for potato in february, with the
following in the patch:
--- openssh-1.2.3.orig/deattack.c
+++ openssh-1.2.3/deattack.c
@@ -84,7 +84,7 @@
detect_attack(unsigned char *buf, u_int32_t len, unsigned char *IV)
{
static u_int16_t *h = (u_int16_t *) NULL;
- static u_int16_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
+ static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
register u_int32_t i, j;
u_int32_t l;
register unsigned char *c;
When looking at the source of openssh-2.9p2 as used in woody/sid, I
see the following code in deattack.c:
int
detect_attack(u_char *buf, u_int32_t len, u_char *IV)
{
static u_int16_t *h = (u_int16_t *) NULL;
static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
register u_int32_t i, j;
u_int32_t l;
register u_char *c;
u_char *d;
This is in the openssh_2.9p2.orig.tar.gz, not the patch. So it seems
the problem is already fixed in the original openssh-2.9p2, not only
openssh-3.0. I've verified that it's the same in the openssh-2.9p2
from a openssh.org software mirror.
My conclusions:
- ssh versions in potato/woody/sid are not vulnerable (assuming that
the exploit really uses the deattack problem)
- Information on both www.openssh.org and razor.bindview.com (see
url's above) is not correct about the version in which the
vulnerability was closed.
christian.
----- End forwarded message -----
--
PGP Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D
PGP Public Key: finger p@dirac.org