l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
August 5: Social gathering
Next Installfest:
TBD
Latest News:
Jul. 4: July, August and September: Security, Photography and Programming for Kids
Page last updated:
2001 Dec 30 17:13

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
[vox-tech] more on the remote ssh exploit
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[vox-tech] more on the remote ssh exploit



----- Forwarded message from Christian Jaeger <christian.jaeger@sl.ethz.ch> -----

Date: Fri, 30 Nov 2001 18:06:46 +0100
To: Dave Sherohman <esper@sherohman.org>,
        Debian-User <debian-user@lists.debian.org>
From: Christian Jaeger <christian.jaeger@sl.ethz.ch>
Subject: Re: ssh exploit?
X-Mailing-List: <debian-user@lists.debian.org> archive/latest/183598

At 9:43 Uhr -0600 30.11.2001, Dave Sherohman wrote:
>Heard a rumor on the local LUG mailing list this morning about a
>remote root exploit in sshd.  Nothing resembling details was
>presented, just a link to the openssh-unix-dev mailing list archive:
>
>http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100696253318793&w=2
>
>Anybody know anything of substance about it?  Assuming it's real, are
>current debian versions affected?  (I assume so, but don't have the
>exploit code to test it.)

The reply to the message from the given url indicates that the 
exploit is using "the old bug in deattack.c".

A little research gave me:

<http://www.openssh.org/security.html>
* OpenSSH 2.3.0 and newer are not vulnerable to the "Feb 8, 2001: 
SSH-1 Daemon CRC32 Compensation Attack Detector Vulnerability", RAZOR 
Bindview Advisory CAN-2001-0144. A buffer overflow in the CRC32 
compensation attack detector can lead to remote root access. This 
problem has been fixed in OpenSSH 2.3.0. However, versions prior to 
2.3.0 are vulnerable.
</openssh.org>

<http://razor.bindview.com/publish/advisories/adv_ssh1crc.html>
Issue Date: February 8, 2001
Remotely exploitable vulnerability condition exists in most ssh daemon
  installations (F-SECURE, OpenSSH, SSH from ssh.com, OSSH).
Vulnerable:
 OpenSSH prior to 2.3.0 (unless SSH protocol 1 support is disabled)
Not vulnerable:
 OpenSSH 2.3.0 (problem fixed)

Overview:

An integer-overflow problem is present in common code of recent ssh 
daemons, deattack.c, which was developed by CORE SDI to protect 
against cryptographic attacks on SSH protocol.

Impact:

Insufficient range control calculations (16-bit unsigned variable is 
used instead of 32-bit, which causes integer overflow) in the 
detect_attack() function leads to table index overflow bug. This 
effectively allows an attacker to overwrite arbitrary portions of 
memory. The altered memory locations affect code that is executed by 
the daemon with uid 0, and this can be leveraged to obtain general 
root access to the system.


To reproduce this condition, run your sshd server on localhost under 
gdb with '-d' switch (to avoid forking). Then try (using OpenSSH 
client - ssh.com client software crops the login name):

$ ssh -v -l `perl -e '{print "A"x88000}'` localhost

</razor.bindview.com>

(I have tested the above (though without gdb/-d mode) and it doesn't 
seem to be a problem.)


There has been a security fix for potato in february, with the 
following in the patch:
--- openssh-1.2.3.orig/deattack.c
+++ openssh-1.2.3/deattack.c
@@ -84,7 +84,7 @@
 detect_attack(unsigned char *buf, u_int32_t len, unsigned char *IV)
 {
        static u_int16_t *h = (u_int16_t *) NULL;
-       static u_int16_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
+       static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
        register u_int32_t i, j;
        u_int32_t l;
        register unsigned char *c;

When looking at the source of openssh-2.9p2 as used in woody/sid, I 
see the following code in deattack.c:
int
detect_attack(u_char *buf, u_int32_t len, u_char *IV)
{
	static u_int16_t *h = (u_int16_t *) NULL;
	static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
	register u_int32_t i, j;
	u_int32_t l;
	register u_char *c;
	u_char *d;

This is in the openssh_2.9p2.orig.tar.gz, not the patch. So it seems 
the problem is already fixed in the original openssh-2.9p2, not only 
openssh-3.0. I've verified that it's the same in the openssh-2.9p2 
from a openssh.org software mirror.


My conclusions:
- ssh versions in potato/woody/sid are not vulnerable (assuming that 
the exploit really uses the deattack problem)
- Information on both www.openssh.org and razor.bindview.com (see 
url's above) is not correct about the version in which the 
vulnerability was closed.

christian.

----- End forwarded message -----

-- 
PGP Fingerprint: B9F1 6CF3 47C4 7CD8 D33E  70A9 A3B9 1945 67EA 951D
PGP Public Key:  finger p@dirac.org
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech


LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.