more on the remote ssh exploit (fwd)

ME dugan at passwall.com
Fri Nov 30 10:33:54 PST 2001 

Message Part 2 of 2:

---------- Forwarded message ----------
Date: Fri, 30 Nov 2001 10:08:55 -0800
From: Peter Jay Salzman <p at dirac.org>
Reply-To: vox-tech at lists.lugod.org
To: vox-tech at lists.lugod.org
Subject: [vox-tech] more on the remote ssh exploit

----- Forwarded message from Christian Jaeger <christian.jaeger at sl.ethz.ch> -----

Date: Fri, 30 Nov 2001 18:06:46 +0100
To: Dave Sherohman <esper at sherohman.org>,
        Debian-User <debian-user at lists.debian.org>
From: Christian Jaeger <christian.jaeger at sl.ethz.ch>
Subject: Re: ssh exploit?
X-Mailing-List: <debian-user at lists.debian.org> archive/latest/183598

At 9:43 Uhr -0600 30.11.2001, Dave Sherohman wrote:
>Heard a rumor on the local LUG mailing list this morning about a
>remote root exploit in sshd.  Nothing resembling details was
>presented, just a link to the openssh-unix-dev mailing list archive:
>
>http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100696253318793&w=2
>
>Anybody know anything of substance about it?  Assuming it's real, are
>current debian versions affected?  (I assume so, but don't have the
>exploit code to test it.)

The reply to the message from the given url indicates that the 
exploit is using "the old bug in deattack.c".

A little research gave me:

<http://www.openssh.org/security.html>
* OpenSSH 2.3.0 and newer are not vulnerable to the "Feb 8, 2001: 
SSH-1 Daemon CRC32 Compensation Attack Detector Vulnerability", RAZOR 
Bindview Advisory CAN-2001-0144. A buffer overflow in the CRC32 
compensation attack detector can lead to remote root access. This 
problem has been fixed in OpenSSH 2.3.0. However, versions prior to 
2.3.0 are vulnerable.
</openssh.org>

<http://razor.bindview.com/publish/advisories/adv_ssh1crc.html>
Issue Date: February 8, 2001
Remotely exploitable vulnerability condition exists in most ssh daemon
  installations (F-SECURE, OpenSSH, SSH from ssh.com, OSSH).
Vulnerable:
 OpenSSH prior to 2.3.0 (unless SSH protocol 1 support is disabled)
Not vulnerable:
 OpenSSH 2.3.0 (problem fixed)

Overview:

An integer-overflow problem is present in common code of recent ssh 
daemons, deattack.c, which was developed by CORE SDI to protect 
against cryptographic attacks on SSH protocol.

Impact:

Insufficient range control calculations (16-bit unsigned variable is 
used instead of 32-bit, which causes integer overflow) in the 
detect_attack() function leads to table index overflow bug. This 
effectively allows an attacker to overwrite arbitrary portions of 
memory. The altered memory locations affect code that is executed by 
the daemon with uid 0, and this can be leveraged to obtain general 
root access to the system.


To reproduce this condition, run your sshd server on localhost under 
gdb with '-d' switch (to avoid forking). Then try (using OpenSSH 
client - ssh.com client software crops the login name):

$ ssh -v -l `perl -e '{print "A"x88000}'` localhost

</razor.bindview.com>

(I have tested the above (though without gdb/-d mode) and it doesn't 
seem to be a problem.)


There has been a security fix for potato in february, with the 
following in the patch:
--- openssh-1.2.3.orig/deattack.c
+++ openssh-1.2.3/deattack.c
@@ -84,7 +84,7 @@
 detect_attack(unsigned char *buf, u_int32_t len, unsigned char *IV)
 {
        static u_int16_t *h = (u_int16_t *) NULL;
-       static u_int16_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
+       static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
        register u_int32_t i, j;
        u_int32_t l;
        register unsigned char *c;

When looking at the source of openssh-2.9p2 as used in woody/sid, I 
see the following code in deattack.c:
int
detect_attack(u_char *buf, u_int32_t len, u_char *IV)
{
	static u_int16_t *h = (u_int16_t *) NULL;
	static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
	register u_int32_t i, j;
	u_int32_t l;
	register u_char *c;
	u_char *d;

This is in the openssh_2.9p2.orig.tar.gz, not the patch. So it seems 
the problem is already fixed in the original openssh-2.9p2, not only 
openssh-3.0. I've verified that it's the same in the openssh-2.9p2 
from a openssh.org software mirror.


My conclusions:
- ssh versions in potato/woody/sid are not vulnerable (assuming that 
the exploit really uses the deattack problem)
- Information on both www.openssh.org and razor.bindview.com (see 
url's above) is not correct about the version in which the 
vulnerability was closed.

christian.

----- End forwarded message -----

-- 
PGP Fingerprint: B9F1 6CF3 47C4 7CD8 D33E  70A9 A3B9 1945 67EA 951D
PGP Public Key:  finger p at dirac.org
_______________________________________________
vox-tech mailing list
vox-tech at lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech

More information about the talk mailing list