OpenBSD Journal

a Revised OpenSSH Security Advisory

Contributed by Dengue on from the adv.token dept.

This is the 2nd revision of the Advisory. Thanks to Marcus@


Subject: Revised OpenSSH Security Advisory (adv.token)
   Date: Fri, 26 Apr 2002 14:00:43 +0200
   From: Markus Friedl


     To: dengue@deadly.org


This is the 2nd revision of the Advisory.

Buffer overflow in OpenSSH's sshd if AFS has been configured on the
system or if KerberosTgtPassing or AFSTokenPassing has been enabled
in the sshd_config file.  Ticket and token passing is not enabled
by default.

1. Systems affected:

        All Versions of OpenSSH with AFS/Kerberos token passing
        compiled in and enabled (either in the system or in
        sshd_config) contain a buffer overflow.

        Token passing is disabled by default and only available in
        protocol version 1.

2. Impact:

        Remote users can get privileged access for OpenSSH < 2.9.9

        Local users can get privileged access for OpenSSH < 3.2.1

        No privileged access is possible for OpenSSH with
        UsePrivilegeSeparation enabled.

3. Solution:

        Apply the matching patch:

        ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-3.1-adv.token.patch
        ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.1p1-adv.token.patch
        ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/024_sshafs.patch
        ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/019_sshafs.patch
        ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/001_sshafs.patch

4. Credits:

        Marcell Fodor


EOF

(Comments are closed)


Comments
  1. By Anonymous Coward () on

  2. By Anonymous Coward () on

    Does anyone know if this is going into 3.1-stable
    and if not why?

    Comments
    1. By Anonymous Coward () on

      it's already there.

      Comments
      1. By Anonymous Coward () on

        So in a sense, does that mean snapshot is now equiv to 3.2-current?

      2. By Anonymous Coward () on

        Just double checked, radix.c on anoncvs.ca.openbsd
        and anoncvs3.usa.openbsd.org in OPENBSD_3_1 is unpatched.

        Comments
        1. By ciph3r () ciph3r@securebydefault.org on mailto:ciph3r@securebydefault.org

          It's not the same OPENBSD_3_1 and OPENBSD_3_1 stable.
          OPENBSD_3_1 is the -release branch, and -stable is patched branch.

          Comments
          1. By Anonymous Coward () on

            http://www.openbsd.org/faq/faq10.html#Patches

            OPENBSD_3_1 is 3.1-stable
            OPENBSD_3_1_BASE is 3.1-release

            the patch is missing

  3. By Anonymous Coward () on

    For crissake, put your heads together and harden OpenSSH to the point where it's usable. And while you're at it, get rid of that "message too long" showstopper with sftp.

    Comments
    1. By xs () xs on xs

      No problem in the default-config.
      Which dumbass would use "mode-1" ssh anyway.
      So please stop bitching around and better fix some bugs yourself.

    2. By Ben Lindstrom () mouring@eviladmin.org on mailto:mouring@eviladmin.org

      "message too long" tends to indicate either a password change or you have crap being displayed in your login files.

      As for 'harding', if you used PrivSep (which is currently default off because it is still pretty new) then you get an added layer of protection since all critical code is ran as a seperate user.

      Besides, I doubt your involved. Want to make a difference? Start auditing.

      - Ben

      Comments
      1. By person () on

        if the developers start a project they better be able to handle all of the problems and not expect U S E R S to have to audit the code. just because you think you are a computer genius doesn't mean everyone else wants to waste their time with the same thing as you.

        Comments
        1. By Anonymous Coward () on

          If you are so dissatisfied, then use somthing else!
          (www.ssh.com / www.microsoft.com or whatever)

          Or maybe pay for somone to do the job. You don't get everything for free.

          Comments
          1. By Cindy_Montreal () on

            You know, you are right. Why do people post messages like the ones you responsed to? They are just wasting your time, my time, bandwidth, and other resoures.

            One of the things I liked about OpenBSD, was it user base. Yes, there are a few smegheads, out there, who use OpenBSD and never think how much hardwork goes in it. No code is perfect, no software is perfect, unless you count the infamous"Hello, world". And I am sure that some smeghead out there, could write an "hello, world" program with lots of security flaws in it.

            At work I have to deal with smeggers who burn databases on CD-Roms, delete the server copy, give access to the CD-Rom copy to other end users,then phone the Help Center, open a ticket, claiming they no longer can change the data, modify the ACL, or import new data.

            I was thinking about end users most of the day. And in the end I realized the end users, is the best thing Computers ever invented. If it weren't for them, how many of us would be working? How many of us would be pushed to go beyound the point we are at? How many of us would even care about computers, technology and what it can or can not do? The end user is what makes computers great.

            So getting back to the end user who posted the message that started this thread, I only have this to say. 'Darren, go post your messages else where.' ;)

            -- Cindy

            Comments
            1. By Ivan Wagner () wagner17@mandalore.com on mailto:wagner17@mandalore.com

              > I was thinking about end users most of the day. And in the end I realized the end users, is the best thing Computers ever invented.

              The funny thing is end users do NOT have the same opinion about us. We are just an annoyance who place unnecessary limitations on them for arbitrary reasons and non-business reasons.

              > So getting back to the end user who posted the message that started this thread, I only have this to say. 'Darren, go post your messages else where.' ;)

              Ouch! That's harsh.

            2. By Chris () on http://www.dejection.org.uk/

              > I was thinking about end users most of the day. > And in the end I realized the end users, is the > best thing Computers ever invented. If it > weren't for them, how many of us would be > working? Well we'd all be working doing something else because the computer industry wouldnt exist. Now personally I dont have a problem there because:- - I'd be paid more - I'd be respected for the job I do rather than bitched at 24/7 - I'd have some self worth rather than just down moments whilst solving problems with poor software. - I'd not be in the most overcompetitive hyped industry out there. - I'd still be playing computer games and having fun rather than hacking code... Yes the UK IT industry is that bad.

              Comments
              1. By Anonymous Coward () on

                excuse the formatting - it doesnt like the pre tags :P

        2. By Lars Hansson () on

          You're an idiot. That pretty much sums it up.
          But, to elaborate, in case you havent noticed,
          noone is getting paid for this and noone is forcing
          you to use OpenSSh if you dont like it.
          It's not a commercial product, you havent paid a damn
          penny for it so either stop whining and do something
          or just shut the hell up.

          Comments
          1. By Anonymous Coward () on

            WRONG, idiot. He paid $40 for a CD that bragged about being safe and secure and all those empty platitudes. It's great to have a safe default installation. But he, like most other OBSD users, wants to do something useful with it.

    3. By niekze () niekze@nothingkillsfaster.com on mailto:niekze@nothingkillsfaster.com

      (to mr. anonymous cowardon)
      Sure. No problem.



      (to the rest of you: why do you respond with such fury and anger to a post that was *obviously* a troll? Go outside people. Get some sunshine. Breathe in some fresh air. *Relax*. Some of you tell this person that he/she no one is forcing him/her to use OpenSSH. My cable provider sucks, but I don't have to use it. Does that mean I cannot voice concerns about it? Of course not. Likewise, even if I get something at no cost, I can still voice concerns about whatever it is that I am getting. Down in this thread, Cindy_Montreal complains about "they" are wasting our time, bandwidth etc. Yet, she agrees with the message she responded to that pretty much said: if you don't like it, you don't have to use it. Is that hypocracy I smell? Why yes, it is! She doesn't have to read those posts. She can remove herself from such waste of time and bandwidth easily: don't use the internet. Of course, you could call me a hypocrite for bitching at the people who are bitching at the person bitching. But, like the original bitcher, you all have the right to bitch as well and I don't mean to imply otherwise. This person is just trying to upset you all. It seems this person has done *extremely* well. After the quite obvious comment that such a person does not have to use the idea/product/service that they bitch about, I find the 'martyr developers' line to usually follow. "They aren't getting paid," "their idea/product/service is free," and so on. No one is forcing the developers to do this for free. THE DEVELOPERS AREN'T NAILED TO THE CROSS EVERYTIME SOMEONE VOICES A NEGATIVE OPINION. They're (somewhat) normal people, just like the rest of us. But back to my original point, just relax. OpenSSH has flaws, as does any software project, and people will complain. The fact that it's free doesn't indemnify the developers against such cricism. Really, it is quite simple. Ignore the trolls and if someone asks a stupid question that you've answered nicely 5,000 times, answer it nicely for the 5,001st time or just don't answer. Of course, you can make an ass out of yourself and get very upset and yell and scream and kick the dog, but what does that accomplish besides raising your blood pressure? It's just software. Though this is *incredibly* off-topic, listen to my advice and simply *relax*. You'll find that everything isn't as serious as you previously thought and the trolls will eventually get bored. Plus, it's better for your health.)

      Comments
      1. By frisco () on http://www.blackant.net/

        to the rest of you: why do you respond with such fury and anger to a post that was *obviously* a troll? Go outside people

        responding to trolls lets me vent. if i didn't vent i'd end up yelling at my boss, my girlfriend, or my bartender and then i'd really be in trouble.

        the way i see it, i *love* the trolls. they keep me employed, laid, and getting free beers at the bar.

        -f

        Comments
        1. By Anonymous Coward () on

          what are these things you speak of.
          employed??
          laid??
          getting free beer?

          tell me more ;*(

      2. By mike () mike@sfobug.org on http://www.sfobug.org


        Good advice.


        -Mike
        --
        mike@sfobug.org
        San Francisco OpenBSD Users Group

    4. By Peter Hessler () spambox@theapt.org on http://www.sfobug.org

      Unusable? "message too long"? I use sftp everyday, from [2.9|3.0]-release [2.9|3.0]-stable, and -current boxen, and I have /never/ gotten a "message too long" error. I use ssh to connect to most of my machines (I sit at the console for the others), and I have had nothing but sucess with it. Yes, there are some security holes when you use brand new features/features that rely on an insecure protocol, but, DUH!

  4. By Anonymous Coward () on

    Four years without a remote hole in the default install!

    Marketing BULLSHIT!
    If now, why not more info.....

    Comments
    1. By Anonymous Coward () on

      Who many default installes are running????
      (no edit of /etc files,..., not enabling more services,....)

      So yes I would also say it is marketing bullshit the OpenBSD claim:
      "Four years without a remote hole in the default install!"

      If it is true at all, who knows
      (Theo didn't commet a question regarding this on misc@ - so maybe he will not confirm that it is indeed false)

    2. By Anonymous Coward () on

      http://lists.debian.org/debian-security/2001/debian-security-200105/msg00127.html

    3. By Anonymous Coward () on

      http://www.guninski.com/openbsdrace.html
      has that been fixed in 3.0 and 3.1?????

      Comments
      1. By ThomasJ () on

        # Solution:
        # http://www.openbsd.org/errata.html#kernexec

        # Vendor status:
        # OpenBSD was informed on 9 June 2001

        So, yes.
        And BTW this is a LOCAL exploit.

        Comments
        1. By Anonymous Coward () on

          Just because OpenBSD vas informed DON'T mean that it is fixed!

          Comments
    4. By Anonymous Coward () on

      Default install is secure from remote root exploits.

      How much clearer do we have to be? Would you like someone to explain Remote a little more thoroughly? How about ROOT? What about Compile?

      At which point in the following scenario does my computer become vulnerable to a remote root exploit.
      -Install OpenBSD from CD.
      -configure internet connection.
      -Go to openbsd.org using lynx.
      -Look for security announcements.
      -Download necessary patches or the one uberpatch.
      -Install patches.
      - restart daemon or service
      Hard to understand for a novice but at NO time was I EVER vulnerable to a remote root exploit.

      That is just a huge relief to me especially compared to other operating systems I have to deal with in my lab.


      What kind of info do you want?
      - exploit found
      - notice given
      - download patch from openbsd.org
      - compile
      - restart daemon or service
      - problem solved

      If you need more handholding than this, you and your company can continue paying tens of thousands of dollars for Microsoft books, certifications, applications, and operating systems. The rest of us will pay all of $40US for the privilege of using OpenBSD.

      How about trolling around on /. with people your own age and maturity level? I have work to do.

      Comments
      1. By Anonymous Coward () on

        Well said.

      2. By Anonymous Coward () on

        This was not meant to start a flame.

        >What kind of info do you want?
        The "four years without a remote hole in the default install" claim needs som more explaining like:

        - Preconditions (need patching)
        Is this claim only valid for boxes that get patched when a new patch is released on the errata page.

        - Starting from? (date and year)
        If it is true, then it should be updated to five years (afaik). But did a exploit turne up so that it is still four years and not 5?

        - Only valid for the current release over time?
        When 3.1 is released does exploits found in 3.0/2.9/.... still count? Or is it only bugs found in 3.1 that counts?

        - Last remote hole fixed, when....
        Just for documentation purpose and show people that they take security serious and the claim is indeed true.

        Info that should be available from www.openbsd.org after my opinion.

    5. By Anonymous Coward () on

      No, marketing bullshit would be the "fine print" you see on many other things today. The fact that the OpenBSD team puts everything right in front of your face lets you know that there is no marketing going on. Analyze the phrase and all will be clear.

      Four years without a remote hole in the default install.

      Four years: a time frame
      remote hole: a vulnerability exploited remotely
      default install: an installation with no modifications

      When you put it together what does it all mean?

      Perhaps it has been four years since a remotely exploitable vulnerability has been found in the default installation?

      If you claim this to be false, please provide evidence to the contrary. Otherwise, please slither from whence you came since you have nothing to offer anyone here.

      Comments
      1. By Anonymous Coward () on

        Do u know the answers to the questions posted here:
        http://www.deadly.org/commentShow.php3?sid=20020427144326&pid=321

        If not, then think about it for a moment.
        Mabye you will find that we actually don't now mutch about this claim.

        If you do pleas provide evidence and answers.

        Comments
        1. By Anonymous Coward () on

          >The "four years without a remote hole in the default install" claim needs som more explaining like:

          >- Preconditions (need patching)
          >Is this claim only valid for boxes that get patched when a new patch is released on the errata page.

          No. The default install would include no patches. You can also look at the patch history and note that the patches have only been issued to secure local problems or remote problems in programs that are not enabled/accessible by default. If patches were required, they would have noted it.

          >- Starting from? (date and year)
          >If it is true, then it should be updated to five years (afaik). But did a exploit turne up so that it is still four years and not 5?

          Well, if it has really been five years, then they might just be taking their sweet time about it. I don't think that number is supposed to indicate an exact time. It's a general statement, and therefore only requires a general time frame.

          And if an exploit turned up, the phrase would be missing from the front page all together. Last year (iirc) a local exploit was found (and now there have been several) and the statement about X years for a local exploit was taken down.

          >- Only valid for the current release over time?
          >When 3.1 is released does exploits found in 3.0/2.9/.... still count? Or is it only bugs found in 3.1 that counts?

          Older releases would be included. Take any release (at any patch level) and the statement should hold true. The only time the phrase would be reset is if a patch were to come out that fixed a remotely exploitable bug in a recent version (3.0). Otherwise, look back four years and you can feel safe about the default install of OpenBSD. The fact is, it has been four years since a remotely exploitable bug has been found in the software that is enabled in the default install. I don't know how you can get it any simpler than that.

          >- Last remote hole fixed, when....
          >Just for documentation purpose and show people that they take security serious and the claim is indeed true.

          If you have any question about whether the OpenBSD team is pro-actively secure, you are not reading enough documentation. If you ask just about anyone what the purpose of OpenBSD is, they will tell you (incorrectly) that it is security (and it's not... they are pro-actively secure and pride themselves on correctness). And why is that? Could it be that OpenBSD touts open encryption, use of encryption in most if not all areas where it can be used, and code correctness so that developers have a greater chance of leaving out bugs? Just read a bit on the web and it should become clear that OpenBSD is does take security seriously.

          And as to your doubts about whether the claim is true? Download the source and look through it yourself. Find the bugs. Try to exploit the default install from any version in the past four years and see what you come up with. Look at the patch history and see what has been fixed (and when). Use that as a way to descredit the remark. The information you seek is right in front of your face.

          >Info that should be available from www.openbsd.org after my opinion.

          The information is already there. You just don't know what you are looking at. First, understand what the phrase means, then check your history. It seems like you are taking something simple and trying to take it to a much higher level than it needs.

        2. By Anonymous Coward () on


          www.guninsky.com/openbsdrace.html
          We all have the greatest respect for your talents but...

          You pointed out a LOCAL root exploit. A LOCAL root exploit is infinitely easier
          to take advantage of than a remote root exploit. Once a very experienced
          computer professional like yourself has LOCAL access to a network, maintaining
          security becomes a very difficult task indeed.

          Since you seem to have a vested interest in the subject, here's the challenge.

          Buy, beg, or steal every cd put out by the openbsd team over the last several years.
          Buy, beg, or steal enough hardware to install every version of openbsd on every platform.
          Network settings are taken care of during install.

          Leave the install as is. 'default install'

          Now remember the line.
          "Four years without a remote hole in the default install"

          Hire a team of people to start looking for REMOTE root exploits. Compare your findings to
          the list of bugs on the openbsd.org web site.
          Report your findings back to us. Report your findings on the web.
          Report your findings to CNN.
          Call Bill Gates and give him the wonderful news.

          If you find a remote root exploit in any of these installs
          you will receive a huge thank you from the openbsd community.

          We want to know as badly as you do when there is a problem.

          If you are upset that the default install does not have
          a bunch of 3rd party apps running,
          well then you are missing the point.

          For me, the default install of OpenBSD is a foundation
          on top of which I build my network. A foundation that I can trust.
          Anything I do after the default install is MY problem.
          It becomes MY responsibility to maintain the level of security that
          I feel comfortable with.

          At what point does an install of OpenBSD become vulnerable to a remote root exploit?

          Enable httpd ?
          Set up and run Postgres ?
          Enable and configure pf ?

          You tell us.
          Report your findings and we will all be grateful. Really.

          Funny thing is, even if you find a few remote root exploits I will be more than happy sticking by an OS that can claim,
          'Three remote holes in the default install in the last 5 years'

          Comments
          1. By Anonymous Coward () on

            Windows and Linux had a while ago a "Hack me" contest. Maybe an Hack OpenBSD contest was an idea (both current release and oldere).

            Comments
            1. By Anonymous Coward () on

              http://defaced.alldas.org/?archives=os
              This may say somthing about it

              17 different OS's since 04/2000
              18510 time(s) a "Windows" Host has been defaced, which is 58.329% of all archived defacements

              22 time(s) a "OpenBSD" Host has been defaced, which is 0.069% of all archived defacements

              864 time(s) a "FreeBSD" Host has been defaced, which is 2.723% of all archived defacements

              Note: Stupied administrators can make even the most secure OS unsecure.

              Comments
              1. By Unknown Bovine Keeper () on

                Yes, a bad admin can make a great OS insecure but there's quite a difference between changing the files served up by httpd and successfully getting root priviledges remotely.

                Even if these 22 were root compromises, I'll still take OpenBSD and it's approach to security and fixing problems over any other OS. Nothing's perfect but OpenBSD gets much closer than most in my book.

              2. By Anonymous Coward () on

                The reverse is true too. Any plum can install OpenBSD. But when said plum tries to use it for anything useful after seeing the catchphrase about "4 years without a remote root exploit", he might be led in to a false sense of security.

                I would trust a decent FreeBSD/Windows admin to lock down a box rather than a wet-behind-the-ears admin flapping his OpenBSD CDs about.

                Comments
                1. By Cow in a Sled () on

                  Wrong again. Easy as the install is for OpenBSD, it takes some cluefulness to actually use it, while Windows installs easy, and remains vulnerable AFTER a decent admin lockdown, because of the track record of future vulnerabilities.

                  I look at it this way, the best-locked-down Windows box has a better chance of getting hacked, over the default OpenBSD, because of Theo and crew paying attention to the stuff.

              3. By Anonymous Coward () on

                Keep in mind when your looking at these statistics, how many servers are actually running Windows, OpenBSD, and FreeBSD.

                Comments
                1. By Anonymous Coward () on

                  Got to question the sanity of anyone using Windows for web content, but so many people do it...

                  Me, I'd love to see stats on the *fraction* of servers compromised by OS alongside the actual number of servers compromised. Might give a better idea of relative risk.

    6. By Yet another AC () on

      Well if OpenBSD is so bad, can that super-elite OS you are running claim the same?

  5. By Chris () on

    I'd just like to ask a SIMPLE question here. I not a lot of people are having a go at OpenBSD for a lot of things, but I ask why?

    Has anyone here been remote or locally compromised? If so HOW? Was it your fault for not doing something correctly or was it an obscure buffer overflow in ssh or something like that... ? Be honest.

    Personally, sit down, think things over logically and work out the issues, how it affects and see if anyone else has the problem BEFORE bitching. Then work to RESOLVE the problem and share the good. Complaining doesnt help, whereas constructive comments and bug reports do :-)

    I say they OpenBSD team are doing a damn good job. Full stop.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]