8316000 2002-04-19 22:42 +0000 /29 rader/ Marcell Fodor <m.fodor@mail.datanet.hu>
Sänt av: joel@lysator.liu.se
Importerad: 2002-04-20 04:19 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <21976>
Ärende: OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow
------------------------------------------------------------
From: Marcell Fodor <m.fodor@mail.datanet.hu>
To: bugtraq@securityfocus.com
Message-ID: <20020419224251.1438.qmail@mail.securityfocus.com>
effect:
local root
vulnerable services:
-pass Kerberos IV TGT
-pass AFS Token
bug details:
radix.c
GETSTRING macro in radix_to_creds
function may cause buffer overflow.
affected buffers:
creds->service
creds->instance
creds->realm
creds->pinst
exploit code here: mantra.freeweb.hu
(8316000) /Marcell Fodor <m.fodor@mail.datanet.hu>/-
8326001 2002-04-20 23:39 -0400 /103 rader/ Niels Provos <provos@citi.umich.edu>
Sänt av: joel@lysator.liu.se
Importerad: 2002-04-22 17:40 av Brevbäraren
Extern mottagare: openssh-unix-dev@mindrot.org
Mottagare: Bugtraq (import) <21993>
Ärende: OpenSSH Security Advisory (adv.token)
------------------------------------------------------------
From: Niels Provos <provos@citi.umich.edu>
To: openssh-unix-dev@mindrot.org
Message-ID: <20020421033931.GZ5594@citi.citi.umich.edu>
A buffer overflow exists in OpenSSH's sshd if sshd has been compiled
with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing
has been enabled in the sshd_config file. Ticket and token passing
is not enabled by default.
1. Systems affected:
All Versions of OpenSSH compiled with AFS/Kerberos support
and ticket/token passing enabled contain a buffer overflow.
Ticket/Token passing is disabled by default and available
only in protocol version 1.
2. Impact:
Remote users may gain privileged access for OpenSSH < 2.9.9
Local users may gain privileged access for OpenSSH < 3.3
No privileged access is possible for OpenSSH with
UsePrivsep enabled.
3. Solution:
Apply the following patch and replace radix.c with
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/radix.c?rev=1.18
4. Credits:
kurt@seifried.org for notifying the OpenSSH team.
http://mantra.freeweb.hu/
Appendix:
Index: bufaux.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/bufaux.c,v
retrieving revision 1.24
diff -u -r1.24 bufaux.c
--- bufaux.c 26 Mar 2002 15:23:40 -0000 1.24
+++ bufaux.c 19 Apr 2002 12:55:29 -0000
@@ -137,10 +137,18 @@
BN_bin2bn(bin, len, value);
xfree(bin);
}
-
/*
- * Returns an integer from the buffer (4 bytes, msb first).
+ * Returns integers from the buffer (msb first).
*/
+
+u_short
+buffer_get_short(Buffer *buffer)
+{
+ u_char buf[2];
+ buffer_get(buffer, (char *) buf, 2);
+ return GET_16BIT(buf);
+}
+
u_int
buffer_get_int(Buffer *buffer)
{
@@ -158,8 +166,16 @@
}
/*
- * Stores an integer in the buffer in 4 bytes, msb first.
+ * Stores integers in the buffer, msb first.
*/
+void
+buffer_put_short(Buffer *buffer, u_short value)
+{
+ char buf[2];
+ PUT_16BIT(buf, value);
+ buffer_append(buffer, buf, 2);
+}
+
void
buffer_put_int(Buffer *buffer, u_int value)
{
Index: bufaux.h
===================================================================
RCS file: /cvs/src/usr.bin/ssh/bufaux.h,v
retrieving revision 1.17
diff -u -r1.17 bufaux.h
--- bufaux.h 18 Mar 2002 17:25:29 -0000 1.17
+++ bufaux.h 19 Apr 2002 12:55:56 -0000
@@ -23,6 +23,9 @@
void buffer_get_bignum(Buffer *, BIGNUM *);
void buffer_get_bignum2(Buffer *, BIGNUM *);
+u_short buffer_get_short(Buffer *);
+void buffer_put_short(Buffer *, u_short);
+
u_int buffer_get_int(Buffer *);
void buffer_put_int(Buffer *, u_int);
(8326001) /Niels Provos <provos@citi.umich.edu>/(Ombruten)
Kommentar i text 8326133 av Hedda (*klick*)
8349028 2002-04-26 13:59 +0200 /46 rader/ Markus Friedl <markus@openbsd.org>
Sänt av: joel@lysator.liu.se
Importerad: 2002-04-26 15:53 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Mottagare: Bugtraq (import) <22077>
Ärende: Revised OpenSSH Security Advisory (adv.token)
------------------------------------------------------------
From: Markus Friedl <markus@openbsd.org>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20020426115948.GA5635@folly>
This is the 2nd revision of the Advisory.
Buffer overflow in OpenSSH's sshd if AFS has been configured on the
system or if KerberosTgtPassing or AFSTokenPassing has been enabled
in the sshd_config file. Ticket and token passing is not enabled
by default.
1. Systems affected:
All Versions of OpenSSH with AFS/Kerberos token passing
compiled in and enabled (either in the system or in
sshd_config) contain a buffer overflow.
Token passing is disabled by default and only available in
protocol version 1.
2. Impact:
Remote users can get privileged access for OpenSSH < 2.9.9
Local users can get privileged access for OpenSSH < 3.2.1
No privileged access is possible for OpenSSH with
UsePrivilegeSeparation enabled.
3. Solution:
Apply the matching patch:
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-3.1-adv.token.patch
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.1p1-adv.token.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/024_sshafs.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/019_sshafs.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/001_sshafs.patch
4. Credits:
Marcell Fodor <m.fodor@mail.datanet.hu>
EOF
(8349028) /Markus Friedl <markus@openbsd.org>/(Ombruten)