5082254 2000-05-11 03:28 /182 rader/ Postmaster
Mottagare: Bugtraq (import) <10816>
Ärende: SSH Authentication Vulnerability
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
X-Sender: jpm@mail.sses.net
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-ID: <4.1.20000510180858.03849420@mail.sses.net>
Date: Wed, 10 May 2000 18:15:22 -0400
Reply-To: "John P. McNeely" <jmcneely@SSES.NET>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: "John P. McNeely" <jmcneely@SSES.NET>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Sword & Shield Enterprise Security, Inc. - Security Advisory
www.sses.net, Copyright (c) 2000
Advisory: Secure Shell Authentication Vulnerability
Release Date: May 10, 2000
Application: sshd
Severity: High - A user (local or remote) can log into any account
with a valid login shell.
Status: Affected systems should install alternative version.
Archive: The advisory sses-002-auth-vul.txt
is available at ftp://ftp.sses.net/pub/security/advisories
SUMMARY
-------
A vulnerable secure shell distribution is available from the popular
Zedz Consultants FTP site (formally known as replay.com). The
RedHat Linux RPM ssh-1.2.27-8i.src.rpm contains a PAM patch which
contains faulty logic allowing users to essentially pass through
the username/password authentication step and gain shell access.
It should be stressed that the ssh distribution 1.2.27-7us.rpm
and 1.2.27-7i.rpm available from the web site do not contain this
vulnerability. The vulnerable distribution (1.2.27-8i.src.rpm) is
located in the "incoming" directory at ftp://ftp.zedz.net/pub/
cryptoI/incoming (formerly pub/crypto/incoming). It is also
possible that the distribution could have been obtained from
the pub/crypto/redhat/unsorted directory.
Due to the obscure location of the vulnerable distribution
it is not known at this time how wide spread the impact of
this vulnerability is.
The vulnerable distribution has been removed from the site and
should no longer be accessible.
DESCRIPTION
-----------
The vulnerable ssh distribution is patched with defective logic
related to PAM authentication. The offending code from the patch
file ssh-1.2.27-pam.patch is:
+#ifdef HAVE_PAM
+ {
+ retval = origretval;
+ pampasswd = xstrdup(password);
+ if (retval == PAM_SUCCESS)
+ retval = pam_authenticate ((pam_handle_t *)pamh, 0);
+ if (retval == PAM_SUCCESS || retval == PAM_AUTH_ERR)
+ retval = pam_acct_mgmt ((pam_handle_t *)pamh, 0);
+ xfree(pampasswd);
+ }
+#else /* HAVE_PAM */
Note the last 'if' statement - in essence whether the
pam_authenticate() call is successful or not, the pam_acct_mgmt()
call is made overwriting the contents of retval. Assuming the
pam_acct_mgmt() call is successful, and it tends to be, then the
remaining patch code dealing with PAM authentication opens a session
with:
+#ifdef HAVE_PAM
+ {
+ if (retval == PAM_SUCCESS)
+ retval = pam_open_session ((pam_handle_t *)pamh, 0);
+ return (retval == PAM_SUCCESS);
+ }
+#endif /* HAVE_PAM */
By running the patch command patch -p0 -b < ssh-1.2.27-pam.patch we
get,
patching file `ssh-1.2.27/acconfig.h'
patching file `ssh-1.2.27/auth-passwd.c'
patching file `ssh-1.2.27/config.h.in'
patching file `ssh-1.2.27/configure.in'
patching file `ssh-1.2.27/sshd.c'
The faulty PAM authentication logic is then inserted into the
auth_password() function in the auth-passwd.c file at lines
745-755 and 879-885.
IMPACT
------
The impact of this bug can be quite severe.
On systems where the /etc/ssh/sshd_config file contains
'PermitRootLogin=yes' the effect is that any remote or
local user can obtain root access by specifying a root
login and entering a non-null password.
Example, if a system (pigpen) configured with the vulnerable ssh
server package has a valid user account (joe) then the command:
% ssh -l joe pigpen
joe@pigpen's password: 123 <--- sshd prompts for password, enter '123'.
... <--- faulty authentication check performed
[joe@pigpen]$ <--- user shell accessed
Checking the syslogs also reveals signs of the problem:
1- May 8 13:12:50 pigpen sshd[13422]: connect from 10.10.10.10 2-
May 8 13:12:50 pigpen sshd[13422]: log: Connection from 10.10.10.10
port 1209
3- May 8 13:12:52 pigpen PAM_pwdb[13422]: authentication failure;
(uid=0) -> joe for ssh service 4- May 8 13:12:53 pigpen
PAM_pwdb[13422]: (ssh) session opened for user joe
by (uid=0)
5- May 8 13:12:53 pigpen sshd[13422]: log: Password authentication for joe
accepted.
Note the authentication failure recorded by PAM on line 3, but lines
4-5 show the session being opened.
It is important to note a few things here:
1) Even if an account is password locked, if it contains a valid shell
the account can be accessed.
2) Site specific user accounts are not necessary for searching out vulnerable
systems when standard Linux distribution/package accounts like 'gdm',
'postgres', or 'mysql' will do.
This vulnerable SSH RPM has been available since March 1, 2000.
RESOLUTION
----------
De-install: If your ssh installation is vulnerable, you should remove
the vulnerable version and install version 1.2.27-7us.
Use OpenSSH: Another alternative to consider is switching over to
openssh available from http://www.openssh.com.
AFFECTED VERSIONS and SYSTEMS
-----------------------------
RedHat Linux, RPM ssh-1.2.27-8i.src.rpm.
ACKNOWLEDGEMENTS
----------------
The bug discovery, test, demonstration, vendor coordination,
and advisory generation are the results of SSES, Inc. security engineers
John McNeely and Dennis Edmonds.
Thanks to Alex De Joode at Zedz Consultants for a quick response and
removal of the vulnerable distribution.
DISCLAIMER
----------
Although SSES, Inc. intends to provide accurate information, this
advisory does not claim to be complete or usable for any purpose.
NO WARRANTY
-----------
This advisory is provided on an "as is" basis. SSES, Inc. makes no
warranties of any kind, either expressed or implied as to any matter
including, but not limited to, warranty of fitness for a particular
purpose or merchantability, exclusivity or results obtained from use
of the material. SSES, Inc. does not make any warranty of any kind
with respect to freedom from patent, trademark, or copyright infringement.
The supplied advisory is not to be used for malicious purposes and
should be used for informational purposes only.
(5082254) ------------------------------------------(Ombruten)
5094820 2000-05-15 09:23 /96 rader/ Postmaster
Mottagare: Bugtraq (import) <10846>
Ärende: Re: [cert] SSH Authentication Vulnerability
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Sender: raoul@crabcake.kendall.akamai.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.04.10005110831180.13595-100000@crabcake.kendall.akamai.com>
Date: Thu, 11 May 2000 08:41:19 -0400
Reply-To: Ignacio Kadel-Garcia <raoul@AKAMAI.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Ignacio Kadel-Garcia <raoul@AKAMAI.COM>
X-To: "John P. McNeely" <jmcneely@SSES.NET>
X-cc: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <4.1.20000510180858.03849420@mail.sses.net>
On Wed, 10 May 2000, John P. McNeely wrote:
> Date: Wed, 10 May 2000 18:15:22 -0400
> From: John P. McNeely <jmcneely@SSES.NET>
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: [cert] SSH Authentication Vulnerability
>
> Sword & Shield Enterprise Security, Inc. - Security Advisory
> www.sses.net, Copyright (c) 2000
>
> Advisory: Secure Shell Authentication Vulnerability
> Release Date: May 10, 2000
> Application: sshd
> Severity: High - A user (local or remote) can log into any account
> with a valid login shell.
> Status: Affected systems should install alternative version.
> Archive: The advisory sses-002-auth-vul.txt
> is available at ftp://ftp.sses.net/pub/security/advisories
GACK! This is scary.
> DESCRIPTION
> -----------
> The vulnerable ssh distribution is patched with defective logic
> related to PAM authentication. The offending code from the patch
> file ssh-1.2.27-pam.patch is:
>
> +#ifdef HAVE_PAM
> + {
> + retval = origretval;
> + pampasswd = xstrdup(password);
> + if (retval == PAM_SUCCESS)
> + retval = pam_authenticate ((pam_handle_t *)pamh, 0);
> + if (retval == PAM_SUCCESS || retval == PAM_AUTH_ERR)
> + retval = pam_acct_mgmt ((pam_handle_t *)pamh, 0);
> + xfree(pampasswd);
> + }
> +#else /* HAVE_PAM */
>
> Note the last 'if' statement - in essence whether the pam_authenticate()
> call is successful or not, the pam_acct_mgmt() call is made overwriting
> the contents of retval. Assuming the pam_acct_mgmt() call is
> successful, and it tends to be, then the remaining patch code dealing
> with PAM authentication opens a session with:
In plainer English, it should read and reads in other ssh SRPM
distributions:
+#ifdef HAVE_PAM
+ {
+ retval = origretval;
+ pampasswd = xstrdup(password);
+ if (retval == PAM_SUCCESS)
+ retval = pam_authenticate ((pam_handle_t *)pamh, 0);
+ if (retval == PAM_SUCCESS)
+ retval = pam_acct_mgmt ((pam_handle_t *)pamh, 0);
+ xfree(pampasswd);
+ }
+#else /* HAVE_PAM */
This problem does not exist in the very nice Riggs distribution available
at:
ftp://ftp.linuxppc.org/contrib/sources/Applications/Internet/ssh-1.2.27-7a_i_riggs.src.rpm
ftp://ftp.linuxppc.org/contrib/sources/Applications/Internet/ssh-1.2.27-7a_us_riggs.src.rpm
I can recommend it: it's got a very useful patch for logging the tags
from the incoming SSH keys for easier logging of who the midnight root
user was on a shared system, and it's got a nice interactive session
performance patch for X-windows and terminal sessions (involving
TCPNODELAY settings).
I'm very concerned about how and when this modified
ssh-1.2.27-pam.patch was introduced into the ssh SRPM's. Just how far
back did it appear in SSH distributions for RedHat?
Nico Kadel-Garcia Office: (617) 250-3693
Senior Systems Engineer CellPhone: (617) 840-0199
Pager: (877) 680-3843
Email: raoul@akamai.com
(5094820) ------------------------------------------(Ombruten)