OpenBSD Journal

[OpenSSH] OpenSSH 3.1 vulnerability and patch

Contributed by Dengue on from the openssh dept.

jose nazario writes :
"recently http://mantra.freeweb.hu/ noted that several versions, including the current SSHd, have a vulnerability in the Kerberos and AFS ticket passing. OpenSSH has a patch. from the email:" 



From:    Niels Provos


To:      openssh-unix-dev@mindrot.org
Subject: OpenSSH Security Advisory (adv.token)
Date:    Sat, 20 Apr 2002 23:39:31 -0400

A buffer overflow exists in OpenSSH's sshd if sshd has been compiled
with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing
has been enabled in the sshd_config file.  Ticket and token passing
is not enabled by default.

1. Systems affected:

        All Versions of OpenSSH compiled with AFS/Kerberos support
        and ticket/token passing enabled contain a buffer overflow.

        Ticket/Token passing is disabled by default and available
        only in protocol version 1.

2. Impact:

        Remote users may gain privileged access for OpenSSH < 2.9.9

        Local users may gain privileged access for OpenSSH < 3.3

        No privileged access is possible for OpenSSH with
        UsePrivsep enabled.

3. Solution:

        Apply the following patch and replace radix.c with
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/radix.c?rev=1.18


4. Credits:

        kurt@seifried.org for notifying the OpenSSH team.
http://mantra.freeweb.hu/


Appendix:

Index: bufaux.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/bufaux.c,v
retrieving revision 1.24
diff -u -r1.24 bufaux.c
--- bufaux.c    26 Mar 2002 15:23:40 -0000      1.24
+++ bufaux.c    19 Apr 2002 12:55:29 -0000
@@ -137,10 +137,18 @@
        BN_bin2bn(bin, len, value);
        xfree(bin);
 }
-
 /*
- * Returns an integer from the buffer (4 bytes, msb first).
+ * Returns integers from the buffer (msb first).
  */
+
+u_short
+buffer_get_short(Buffer *buffer)
+{
+       u_char buf[2];
+       buffer_get(buffer, (char *) buf, 2);
+       return GET_16BIT(buf);
+}
+
 u_int
 buffer_get_int(Buffer *buffer)
 {
@@ -158,8 +166,16 @@
 }

 /*
- * Stores an integer in the buffer in 4 bytes, msb first.
+ * Stores integers in the buffer, msb first.
  */
+void
+buffer_put_short(Buffer *buffer, u_short value)
+{
+       char buf[2];
+       PUT_16BIT(buf, value);
+       buffer_append(buffer, buf, 2);
+}
+
 void
 buffer_put_int(Buffer *buffer, u_int value)
 {
Index: bufaux.h
===================================================================
RCS file: /cvs/src/usr.bin/ssh/bufaux.h,v
retrieving revision 1.17
diff -u -r1.17 bufaux.h
--- bufaux.h    18 Mar 2002 17:25:29 -0000      1.17
+++ bufaux.h    19 Apr 2002 12:55:56 -0000
@@ -23,6 +23,9 @@
 void   buffer_get_bignum(Buffer *, BIGNUM *);
 void   buffer_get_bignum2(Buffer *, BIGNUM *);

+u_short        buffer_get_short(Buffer *);
+void   buffer_put_short(Buffer *, u_short);
+
 u_int  buffer_get_int(Buffer *);
 void    buffer_put_int(Buffer *, u_int);
Watch source-changes@ or errata.html for patch notices.

(Comments are closed)

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]