Date: Wed, 3 Jul 2002 01:40:54 GMT
From: Charles Hannum <[email protected]>
To: [email protected]Subject: Three problems in OpenSSH's ssh-keysign
[This is being posted to bugtraq in the interest of full disclosure.
Originally sent to [email protected].]
There are 3 problems we observed by inspection of OpenSSH's
ssh-keysign:
1) [Charles Hannum] Since no blinding is done on the RSA calculations,
ssh-keysign is effectively a fairly efficient oracle for mounting a
Kocher timing analysis attack on the host key(s).
(Using OAEP padding -- per recent versions of PKCS1 -- would not
only mitigate this better, but would also mitigate other RSA
attacks. Unfortunately, this would require a change in the
protocol.)
2) [Bill Sommerfeld] There is a use-after-free bug; see:
if (valid_request(pw, host, &key, data, dlen) < 0)
fatal("not a valid request");
xfree(data);
xfree(host);
...
if (key_sign(keys[i], &signature, &slen, data, dlen) != 0)
(This has already been fixed in the main OpenSSH tree.)
3) [Charles Hannum] The protection of host keys is not very good; to
wit:
key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
seteuid(getuid());
setuid(getuid());
Although current BSD systems are safe (because they do not permit
PTRACE_ATTACH, et al, on processes that were ever set-id), this may
permit direct reading of the host keys by users on other systems.
Have a nice day.
