Date: Wed, 03 Jul 2002 20:21:56 +0100
From: Global InterSec Research <[email protected]>
To: [email protected]Subject: [Global InterSec 2002062801] OpenSSH challenge-response buffer overflow (Update)
Cc: [email protected]
Global InterSec LLC
http://www.globalintersec.com
GIS Advisory ID: 2002062801
Title: OpenSSH kbd-interactive buffer overflow
Changed: 07/03/2002
Author: [email protected]
Reference: http://www.globalintersec.com/adv/openssh-2002062801.txt
Summary:
OpenSSH, a popular server utility that provides encrypted connections
between hosts and is commonly used for administration and file transfer,
contains a integer overflow, resulting in a heap overflow that could
be exploited to execute arbitrary commands.
Impact:
A local user may be able to execute arbitrary commands as the user which
the OpenSSH daemon is running as prior to authentication.
This is normally root.
Versions Tested To Be Vulnerable:
OpenSSH versions prior to 3.4
Description:
It is the current belief of many that exploiting the recently disclosed
vulnerabilities in OpenSSH's challenge-response routines is reliant
upon a system's use of BSD's authentication mechanisms and therefore
restricts the platforms on which this vulnerability may be exploited.
This is almost certainly due to various advisories posted to various
fora by unnamed security companies.
Although it is widely known that all systems running versions of OpenSSH
prior to 3.4 are affected by this vulnerability, many vendors have deemed
their platforms invulnerable to exploitation.
In spite of this, our research has proven multiple platforms originally
thought to be invulnerable to attack to be vulnerable.
As reported by GOBBLES [1], systems running vulnerable binaries, built
with --with-bsd-auth at compile time are vulnerable to attack via
an integer overflow in the input_userauth_info_response() function.
Conversely, under Linux and other platforms using a vulnerable version
of OpenSSH compiled with --with-pam, the integer overflow lies in the
function input_userauth_info_response_pam().
In both cases, the final heap based buffer overflow is a result of the
integer overflow of unsigned int nresp, calculated from packet_get_int(),
the return value of packet_get_int being a client controlled integer.
Scope for attack:
- Because of the nature of the vulnerability, exploitation is possible
before
a user has authenticated with the remote host. This would potentially
allow
an attacker to remotely execute arbitrary commands as the UID of the
daemon
process, PRIOR TO AUTHENTICATION.
- To exploit the vulnerability described in the "Proof of concept"
section of
this advisory, the sshd binary must have been compiled with PAM support.
Work Around:
Global InterSec recommends the following settings be disabled within
sshd's configuration. This is normally located at /etc/ssh/sshd_config
PAMAuthenticationViaKBDInt no
KbdInteractiveAuthentication no
However, we strongly recommend that all vulnerable binaries are upgraded
as soon as possible. (See vendor solutions.)
Credit:
All information contained within this advisory was independently
researched by
Global InterSec's vulnerability team.
The original PUBLIC disclosure of this vulnerability was made by
Internet Security
Systems [3].
Vendor Solutions:
Since the original disclosure by ISS [3], vendors have released their own
advisories, with distribution specific fixes. A list of some of these
follows.
Mandrake Secure Linux:
http://www.mandrakesecure.net/en/advisories/2002/MDKSA-2002-040-1.php
SuSE Linix:
http://www.suse.de/de/support/security/2002_024_openssh_txt.html
EnGarde Secure Linux:
http://www.linuxsecurity.com/advisories/other_advisory-2177.html
Conectiva Linux:
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000502
Caldera Linux:
ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-030.0.txt
NetBSD:
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-005ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-005.txt.asc
Redhat:
http://rhn.redhat.com/errata/RHSA-2002-127.html
Exploitation / Proof of concept:
On certain distributions of linux, the evidence that this bug is exploitable
may be more apparent than others due to the %edx register being overwritten.
In either case, slightly more careful inspection confirms the possibility
that this vulnerability could be exploited when compiled --with-pam.
By examining an assembler dump of input_userauth_info_response_pam(), we
can
see that the (corrupted?) %edx has been loaded from 0x8080130, where
0x8080130
is the location of the context_pam2 structure.
0x80521f2
<input_userauth_info_response_pam+122>: mov 0x8080130,%edx
Note:
The above instruction to mov 0x8080130 into %edx occurs in preparation
for
the call to xfree() and after the call to wrapped strdup(); whilst the
debugger
back trace suggests that the xfree() [free()] was never called.
By allocating specific break points through out
input_userauth_info_response_pam()
and into the call to free(), it becomes apparent that the call to free()
could
be exploited:
Breakpoint 14, 0x0806c677 in xfree (ptr=0x808a380) at xmalloc.c:55
55 free(ptr);
(gdb) print 0x808a380
$24 = 134783872
(gdb) x/10x 0x808a380
0x808a380: 0x41414141 0x41414141 0x41414141 0x41414141
0x808a390: 0x41414141 0x41414141 0x41414141 0x41414141
0x808a3a0: 0x41414141 0x41414141
From here on, exploitation becomes trivial. For more information on
exploiting
calls to free() see the excellent Phrack article "Once upon a free()" [2].
References:
[1] GOBBLES Security -
http://www.immunitysec.com/GOBBLES/exploits/sshutup-theo.tar.gz
[2] Phrack Magazine - Once Upon a free() -
http://www.phrack.com/show.php?p=57&a=9
[3] ISS -
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584
Legal:
This advisory is the intellectual property of Global InterSec LLC but
may be
freely distributed with the conditions that:
a) No fee is charged
b) Appropriate credit is given.
(c) Global InterSec LLC 2002
