OpenBSD Journal

OpenSSH version bump to 3.4

Contributed by jose on from the fixing-the-ints dept.

floh writes :
"Markus Friedl just bumped the OpenSSH version to 3.4, and commited a fix for the "int overflow; from ISS", the commit message should be here "
The commit message from Markus is

From: Markus Friedl

Date: Wed, 26 Jun 2002 07:55:38 -0600 (MDT)
Subject: CVS: src

CVSROOT:        /cvs
Module name:    src
Changes by:  2002/06/26 07:55:37

Modified files:
        usr.bin/ssh    : auth2-chall.c

Log message:
make sure # of response matches # of queries, fixes int overflow; from ISS

The ISS advisory contains additional information on the vulnerability.

As the commit message said , nearly six years ... not bad. Update The OpenSSH advisory is now also available.

(Comments are closed)

  1. By Anonymous Coward () on

    One remote hole in the default install, in nearly 6 years!

    1. By Anonymous Coward () on

      That's pretty sad considering that next to nothing is enabled in the default install, making it pretty useless to begin with. You'd think people would at least get it right with so little to worry about. Oh wait, when things go wrong "I get what I pay for."

      1. By Anonymous Coward () on

        bullshit. a bunch of stuff is enabled by default, including portmap. whens the last time you saw a portmap exploit in openbsd? and one in linux/solaris/irix? ident? comsat? rstatd and ruserd?

        its not useless, its svelte. plus when you turn on named you're not going to bite your nails, they're audited it (granted its missing some bind 8 and 9 features, but ...).

        as for getting it right, if you dont like it, dont use it or start helping.

      2. By DieNadel () on

        I guess you could say that you get a lot more than what you pay for. You've got a reliable, stable and, yes, secure OS for close to nothing. Anyone that has half a brain knows that bugs are likely to show up sooner or later, and we can be proud that it was later.
        Now stop bugging and try to find some more bugs! :-)

      3. By Anonymous Coward () on

        Well, go pay for Windows 2K or Windows XP. You get a lot more vulnerabilities per dollar... Or maybe you want to pay for Solaris, HP/UX, Dynix or AIX. Still more vulnerabilities. Maybe you should just unplug your computer from any networks, remove the modem and spare all of us your infantile intellect.

      4. By pravus () on

        You'd think people would at least get it right with so little to worry about.

        yeah, you are right. 70MB of kernel source is trivial to maintain.

        please... for the sake of humanity, put the crack pipe down.

    2. By Anonymous Coward () on

      A fact and a good prestation if you'd ask me.

    3. By lx () asdf on mailto:asdf

      Definitely an improvement, I'm glad they've changed it. Eventually I'd like to see them abandon the statement completely or change it to something more accurate like "One remote root hole in the default install, at least in the most current available version of the operating system available at the time, in nearly 6 years."

      1. By pravus () on

        density suits you.

        check your history. the statement is true. take a release from 5 years ago... use the default installation... how many remote exploits do you have? at most, 1: this new OpenSSH exploit.

        what is so hard to understand about this? i just don't get it. maybe the people that complain so much about this statement don't speak english very well?

    4. By Anonymous Coward () on

      Patch # 8 is out.
      Check the errata for 3.1
      holy crap.

      1. By Anonymous Coward () on

        This is going to keep happening until the OpenBSD shifts to security-by-design. Right now, OpenBSD's focus is security by software quality. That's great but unfortunately there is no way to write a large amount of code in C and not have the occasional overflow or other security compromising bug.

        There are a few ways to achieve security by design. Fine-grained capabilities is an excellent approach. Privsep in the new OpenSSH takes this idea. We need to use this kind of thing all over the place. The other approach is to stop using languages like C for network services. It just isn't humanly possible to write a large body of C code without the occasional overflow. The OpenBSD team is the best in the world, and yet bugs still get through, as we have seen recently.

        1. By Anonymous Coward () on

          All right then. Thanks for volunteering your time.
          How soon can you have a spec written up?

        2. By couderc () on

          How many times should we say NO JAVA ? :)

  2. By M Shannon () on

    Well I can't say I didn't want it to last forever. But I guess if it had to go, we should let it go with dignity.

    Way to go guys, you've done great work release after release. I expect to see a new streak start again.

    It was a hard week for OpenBSD, Apache exploit toolkits, Openssh vulnerabilites, bad press everywhere you turn.

    Well, just so there's no mis-understanding, put me down for a 3.2 CD!


    1. By Anonymous Coward () on

      I just downloaded ALL the patches for 2.9 3.0 and 3.1
      3.0.tar.gz --249440
      3.1.tar.gz - 7267
      -This is a walk in the park compared to my other
      -platforms. They fit on one floppy!!!
      Do you have any idea how long it would take for
      the updates for the last 3 releases of SuSE? or redhat?
      HOURS. Really. hours. They fill up a whole CD.
      OpenBSD kicks butt.

      1. By Anonymous Coward () on

        Hard to tell from the last post but I agree with you.
        It seems like somebody is gunning for theo.
        Well as they will find out, We are very loyal.

        1. By Jeff Flowers () on

          "It seems like somebody is gunning for theo"

          I think some of that has to do with Theo himself. I have no problem with Theo as I appreciate his bluntness but I can see how some would. I suspect that makes him, and OpenBSD, a target for some.

          Regardless, Theo and his fellows have shown what can be accomplished if one is willing to work.

  3. By Anonymous Coward () on

    Apparently it's worked fine for the past two releases, but not for 3.4. I'd be okay with that, except the client has been changed to not complete a connection if compression fails, versus falling back to no compression. This is a real pain, as I like to alias ssh -C on all my machines regardless of whether or not I'm connecting to a server that I run. Please give me back my compression.

  4. By pravus () on

    ... at least for the people that do nothing but gripe about the "no remote hole" statement. now what will they gripe about? i'm sure they will find something...

    1. By john doe () on

      is all this really such an issue? I disable anything I don't need in sshd_config on first use and run it on weird ports on internal interfaces. If people want TOTAL security without thinking, I suggest they let bill do it for them (see link)

  5. By Ben Johnson () on

    Am I reading the advisory correctly: Affected Versions: OpenBSD 3.0 OpenBSD 3.1 FreeBSD-Current OpenSSH 3.0-3.2.3 Is OpenBSD 2.9 and lower not affected? I'd like to know - as I'm quite lazy.

    1. By <font color="#336666"><b>Re:<3.0 Not Affected?</b><br>by<font c () on

      i would think that the question you need to ask yourself is what version of OpenSSH you are running, regardless of the OS version you have. the bug is in OpenSSH, not OpenBSD.

    2. By <font color="#336666"><b><3.0 Not Supported</b><br>by<font colo () on

      I believe the reason why those versions weren't listed is because they are considered unsupported.

    3. By Matt Liggett () on

      According to
      At least one major security vulnerability exists in many deployed OpenSSH versions (2.9.9 to 3.3) . . .

      I'm running 2.8, and ssh -V reports that I'm using OpenSSH 2.3.0, so I appear to be safe. ssh -V might provide useful for you, too.

        1. By Ben Johnson () on

          Thanks for the constructive replies.

          I put on my paranoid-tin-foil-hat and took the precaution of considering OpenSSH possibly vunerable - even after the curent patches and have set all my firewalls to block any port 22 trafic with an eception of allowing my static home IP addess in.

          Thanks to OpenBSD and OpenSSH for the 5 years of worry free computing. This incident only reminds my of why I moved over to OpenBSD in the first place, and you have my confidence. Heres to the next 5 years.


  6. By RC () on

    OpenBSD's policy of disabling everything by default is a GREAT policy, IF they do it.

    If S/Key and/or BSD_Auth were disabled, this wouldn't have been the end of OpenBSD's reign without a remote Root hole. Most users wouldn't have been affected by disabling S/Key by default, and those few who use it could have re-enabled it.

    Anyone care to say why S/Key was enabled? Or better yet, why it was enabled on OpenBSD, but other distros were smart enough to disable it by default.

    Additionally, why didn't Theo just let the world know that disabling S/Key would have neutralized the exploit? That's even better than priv seperation, as it would prevent them ANY access!

    1. By Anonymous Coward () on

      It's not too hard to grep the source for S/Key stuff, and it's not too hard to find a bug when you know where it is. If Theo had said that disabling S/Key fixed the exploit, there would have been a 1337 0-day exploit circulating within fifteen minutes.

    2. By Anonymous Coward () on

      It's not too hard to grep the source for S/Key stuff, and it's not too hard to find a bug when you know where it is. If Theo had said that disabling S/Key fixed the exploit, there would have been a 1337 0-day exploit circulating within fifteen minutes.

  7. By Aasmund () on

    I finally caved in and upgraded my 2.9 box. However i had several problems:

    1. The good-old XML::Parser problem, fixed with --disable-rule=EXPAT (I thought it was officially fixed)
    2. $r->print requires full scalar not ref anymore. (for mod_perl)
    3. cvs'upping to stable is fine, however, making obj/build fails on "/bin/sh: cd: /usr/src/usr.bin/ssh/ssh-keysign - No such file or directory" any ideas?
    4. How easy the upgrade system is, I love it!
    5. My system hangs 50% of the time on SCSI detection, I don't have any SCSI units. So I guess I will have to alter GENERIC and recompile.

    Thank You,


    1. By Sam () on

      >making obj/build fails on "/bin/sh: cd: /usr/src/usr.bin/ssh/ssh-keysign - No such file or directory" any ideas?

      Read and follow the upgrading instructions?

      1. By Aasmund () on

        Hmm, I did do my best to follow instructions. Maybe I did something stupid. however the error doesn't look like a config problem more a missing file. That indicates to me a cvs problem. Don't know why it arose. Hope it will be gone now.

        Also my system has started to behave erratically. Suddenly it can't find libraries and loses all it's 512 memory. 2 mins later it's ok.


    2. By Anonymous Coward () on

      You don't need to recompile the kernel.
      Use config instead and disable unwanted devs.

    3. By francisco () on

      5. My system hangs 50% of the time on SCSI detection, I don't have any SCSI units. So I guess I will have to alter GENERIC and recompile.

      i bet it's looking for cd drives. are you seeing something like:
      atapiscsi0 at pciide0 channel 1 drive 0
      scsibus0 at atapiscsi0: 2 targets
      cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable
      cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2

      yours will vary slightly, of course. if this is similar to the problem you are referring to, then you will want to see atapiscsi(4), scsibus(4), and cd(4), which will explain to you what all those drivers are. If you have a Sony cd drive and are running 3.1-release, then you may notice some problems during detection. refer to the mailing lists for more information, and upgrade to the recent stable kernel.

      my machine didnt recognize the cd drive with 3.1-release, though the same drive worked fine with 2.9. it started working in -current a few weeks ago. thank you developers!

  8. By Anonymous Coward () on

    I've been looking at the code under auth2-chall.c and how it was fixed and I don't see how this was an exploit.

    The CVS log mentions an int overflow.

    Referring to this snippet of code
    nresp = packet_get_int();
    if (nresp != kbdintctxt->nreq)
    fatal("input_userauth_info_response: wrong number of replies");
    if (nresp > 100)
    fatal("input_userauth_info_response: too many replies");
    if (nresp > 0) {
    response = xmalloc(nresp * sizeof(char*));
    for (i = 0; i 100) check was the patch.

    But if nresp was very large where does the overflow occur? I could see the kernel thrashing for a while since it's been requested to malloc an obscene amount of memory, but I can't see where a write to unmanaged memory occurs.

    Can anyone shed some light on this?

    1. By Anonymous Coward () on

      looks like I screwed up the formatting
      The for loop looks like this

      for (i = 0; i 100) was the patch

    2. By Anonymous Coward () on

      While I haven't examined the code extensively, I think the patch does two things:

      1) Checking nresp <100 prevents a DoS, as you noted.

      2) If nresp is very large and unsigned, and if the value in nresp is later assigned to a signed variable, the signed variable may be negative when it should not be. Careful packet construction could cause a server to believe it's writing into a buffer when it's actually overwriting its stack or heap. Since I saw a lot of signed/unsigned cleanup commit messages around the time this vulnerability was announced, I think this is it.

    3. By grendel () on

      nresp * sizeof(char *) == 4 * (a large number).
      add in one part integer overflow, stir, and get a small number, happily malloced. the loop below then proceeds to use the large value and run willy-nilly over memory.

      like theo said, it's a kinda new class of vulnerability. everyone knows ints overflow. they don't know that can be bad. :(

  9. By Anonymous Coward () on

    hmm write the services in C# .net using the CLR and MSIL. thats not a troll - its just its not vulnerable and is JIT compiled and cached.

    (btw .net ISNT just for MS ;).

    1. By Anonymous Coward () on

      Actually, .net is only for M$. Ximian is wrking on Mono, but that's just the CLR.

      I no of no advantages of .net over Java/JVM. You can get Scheme, Ada, Python, and litterlally over one hundered other language compilers/interpreters tagreted at/running in JVM byte code. Sun might not be that great, but they beat teh crap out of M$ for my security dollar.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]