OpenSSH Security Advisory: buffer.adv

Contributed by jose on 2003-09-16 from the sshland-security dept.

(Pasting from Markus Friedl's advisory.)

1. Versions affected:

All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively.

2. Solution:

Upgrade to OpenSSH 3.7 or apply the patch.

The patch and the advisory can be found at http://www.openssh.com/txt/buffer.adv . This bug was being discussed on the Full Disclosure list recently.

UPDATE Here's the CERT advisory and the ISS X-Force advisory on the subject. Note that various embedded devices use OpenSSH, so they're also vulnerable to this issue.

(Comments are closed)

Comments

By Anonymous Coward () on 2003-09-16 10:45

I think Markus does not understand the meaning of "proactive". Fixing an exploitable bug in response to its public disclosure sounds pretty "reactive" to me. If anything, the only thing about OpenSSH that is "proactive" is its introduction of numerous exploitable holes!

Everyone should switch to lsh instead.
Comments
1. By Anonymous Coward () on 2003-09-16 12:16
  
  It's not only public disclosure, there's already a worm "in the wild."
2. By Anonymous Coward () on 2003-09-16 15:31
  
  The patch was made, then the exploit appeared (based on the patch, supposedly).
  
  I'd agree that this makes 2, but the security is still proactive
  Comments
  1. By Anonymous Coward () on 2003-09-16 15:35
    
    Sorry, wrong. The bug has been exploitable for over a year. OpenBSD only learned about the bug because some idiot who wasn't involved with writing the exploit himself (probably heard about it from one of his friends) decided to leak it publicly. Come on, none of that code has been touched for weeks, and you really believe they found it before the hackers? When they release their advisory after posts of machines being compromised through OpenSSH?
3. By RC () on 2003-09-17 04:13
  
  > Fixing an exploitable bug in response to its public disclosure sounds pretty "reactive" to me.
  
  Being proactive does not require someone to do a perfect job.
  
  Priv-sep was added, not in response to any exploit.
  
  Switching to lsh would be a large step backwards.
4. By Anonymous Coward () on 2003-09-24 01:27
  
  http://www.securityfocus.com/archive/1/338354/2003-09-20/2003-09-26/0
By jose () on 2003-09-16 10:46 http://monkey.org/~jose/

the url i have up there for the patch is right, but its not yet available online. here's a link to a mailing list posting which also has this:

http://marc.theaimsgroup.com/?l=openbsd-misc&m=106371592604940&w=2

enjoy, and patch ... it sounds like the hackers found this one first ...
By Anonymous Coward () on 2003-09-16 10:52

Will Theo do the right thing and modify the front page now? You asked for proof, now you have it. Or does Theo need to see an exploit with his own eyes to do it, even though it's being actively exploited right now? This makes one question the integrity of the OpenBSD source, if such an exploit was in the wild...
Comments
1. By Daniel Svensson () on 2003-09-16 12:41
  
  "It is uncertain whether this error is potentially exploitable"
2. By Anonymous Coward () on 2003-09-16 12:51
  
  This guy is a paid employee of the Microsoft Department of Internet Information.
  
  A flaw may be in the wild? Ooh scary everyone. Read the morning newpaper and disable external SSH. At least I know about it right away and can disable external SSH until I know what's up.
  
  Honestly, I think Microsoft is present in this forum instigating pain for the rest of us.
  Comments
  1. By Anonymous Coward () on 2003-09-17 01:20
    
    Are you a retard? Did you even read the post? Do you understand the concept that an exploit can exist before OpenBSD knows about it? Do you understand that the existence of such an exploit brings into question the integrity of the code you are running right now on your OpenBSD machine, since many machines related to OpenBSD development were vulnerable for over a year (including the CVS server)?
    
    Who bothered to spawn you, and why?
  2. By Anonymous Coward () on 2003-09-17 01:38
    
    Is your head in a hole? It's a remote root-level exploit. It's available. Yes, on OpenBSD. Yes, with PrivSep enabled.
    
    Comments
    
    By tedu () on 2003-09-16 15:24
    
    where can i get it?
    
    Comments
    
    By janus () janus at errornet dot de on 2003-09-16 15:53 http://janus.errornet.de
    
    127/8 ;-P
    
    By Nate () on 2003-09-16 16:36
    
    I have yet to see an example of the exploit in question. The fact that there is an overflow does not mean there is an exploit to use it.
    
    On one hand there is the bunch of random Anonymous Cowards proclaiming to have been hacked already, then there are the Anonymous Cowards on the other side saying it is impossible to use the overflow to create a viable exploit.
    
    Right now there are people at both extremes bellowing at the top of their lungs about how they're right and the other group is wrong. Until proof exists, there is no exploit, only a chance of one.
    
    All I can say is STFU and wait. Unless you can show the exploit then there is doubt, though updating your OpenSSH will not hurt.
    
    Comments
    
    By coward () on 2003-09-16 18:32
    
    it's funny that on one hand you demand a proof from one party (who claim there's an exploit) and on the other hand you don't demand the same from the naysayers, you're satisfied by some random people (never heard of them posting some well-research/written exploit or paper at least) claiming that 'i looked at the code and i think it is not exploitable' - that's hardly PROOF. as for waiting for an exploit, what makes you think someone will just give you his/her hard work (i have no doubt this is not your average strcpy() linear stack overflow style) for, errr, nothing in return?
    
    Comments
    
    By Anonymous Coward () on 2003-09-16 18:44
    
    Duh?
    
    Comments
    
    By coward () on 2003-09-16 19:54
    
    and why not? you can perfectly well prove it by showing that whatever state change the bug allows will always cause program termination/infinite loop (vs. giving a root shell or whatever else is deemed useful for an attacker). the state space is finite, nothing is impossible here. impractical it may be, but i never said your average joe 'hacker' would be knowledgable enough to decide the question pro or contra.
    
    Comments
    
    By compass () on 2003-09-17 00:11
    
    You can't prove a negative... Or are you a philisophical god? :)
    
    Comments
    
    By coward () on 2003-09-17 05:22
    
    in an infinite state universe, but computers are anything but infinite. in this particular case you (if you're knowledgable enough that is) could for example show that the memory corruption caused by the bug cannot ever modify data that's used later, that would be sufficient condition for proof of non-exploitability. still 'impossible'?
    
    [PS to moderator: sorry for my other accusation, you did not indeed remove my posts, i merely looked at the wrong thread... i apologize.]
    
    Comments
    
    By compass () on 2003-09-17 23:04
    
    Crap... I think my social science schooling is hanging out for all the world to see.
    
    Comments
    
    By Anonymous Coward () a on 2003-09-20 11:52 mailto:a
    
    a
    
    By Anonymous Coward () on 2003-09-16 20:32
    
    as for waiting for an exploit, what makes you think someone will just give you his/her hard work?
    
    ok I'll bite!
    
    Ummm, maybe because giving it to the k1dd13s will cause a lot more damage than just bellowing out I wrote an exploit.
    
    An issue of credit perhaps.
    
    Sharing it with the developers ( A little more responsible ) is also another idea.
    
    See I can say this:
    
    I wrote a remote exploit that gives me root on any server that runs 'insert your app here'
    
    Now I'm not going to show you any code but I told you I wrote the exploit so you should now phear me and my 'leet skillz.
    
    Come on give me a break! Go play in the sandbox with the other 6 year olds.
    
    I think I saw this elsewhere today and it holds value:
    
    Bottom Line:
    
    PUT UP or SHUT UP!
    
    Comments
    
    By coward () on 2003-09-17 05:30
    
    uhm, what makes you think that an exploit writer would give an exploit of this magnitude to kiddies any more than others? look at what happened when the approximate bug location was made public (on the full-disclosure list), it already had the bug fixed, a published exploit would have achieved only worse (in sideeffects, like boxes getting owned left and right), don't you think? i think there's one single reason you want that exploit that bad: to save your shattering ego (as in: no public exploit -> ego is ok, you did not do a bad job at auditing OpenSSH during all these years).
    
    By Shane J Pearson () on 2003-09-16 22:30
    
    it's funny that on one hand you demand a proof from one party (who claim there's an exploit) and on the other hand you don't demand the same from the naysayers
    
    It is usually very simple to prove something exists (if it does), yet very difficult to prove something does not exist.
    
    Asking for proof of the exploit is the natural, reasonable question. There should be no assumptions of bias attached to such a question.
    
    what makes you think someone will just give you his/her hard work (i have no doubt this is not your average strcpy() linear stack overflow style) for, errr, nothing in return?
    
    If exploits are in the wild, as claimed by some, then it should not be hard to point to them.
    
    Until then, with all the trolling going on around here, I don't think it is unreasonable to expect a little doubt around here. Especially with the tone of the posters claiming exploits in the wild!
3. By Anonymous Coward () on 2003-09-17 01:53
  
  The anwer is pretty obvious. If Theo and the OpenBSD/SSH crew figures out it is exploitable, they WILL change the remote hole count, as they did last time. It is called I-N-T-E-G-R-I-T-Y. A surprise for you perhaps, but OpenBSD users just take it for granted...
By Anonymous Coward () on 2003-09-16 12:36

The curious thing is:

% nc -4 localhost 22
SSH-2.0-OpenSSH_3.7
^C
% ls -l /usr/sbin/sshd
264 -r-xr-xr-x 1 root bin 260696 Sep 15 12:03 /usr/sbin/sshd

My version of the source, obviously, does not contain this patch. Does this mean the version is incremented in OpenBSD-current before the `official' release is finalised?
Comments
1. By tedu () on 2003-09-16 16:42
  
  yes, the version was dumped on 9/2.
By Anonymous Coward () on 2003-09-17 01:16

So OpenBSD team is not sure if the bug can be exploited, while there are public reports of machines being rooted because of this hole?! I guess that just says it all about wOpenBSD !!!! muahahahahahahahaahahahahahahhahahahaahhah
Comments
1. By djm () on 2003-09-16 20:35
  
  I have heard reports of a guy going to a party and waking up in a bath of ice with a kidney missing. That must be true as well.
  
  Please show us (openssh@openbsd.org) an exploit - we'll believe you then.
2. By Anonymous Coward () on 2003-09-16 20:40
  
  Are there ? Where is the exploit ? <br> Mostra ou cala-te. <br> Anormal de merda.
  Comments
  1. By Anonymous Coward () on 2003-09-17 16:48
    
    Vai fazer dieta mas � durante o tempo que usas para dizer asneiras *g*
By Noob () on 2003-09-17 01:46

This will probably be resolved in the OpenBSD 3.4 Release when it is completed and ready to ship.
By Anonymous Coward () on 2003-09-16 15:45

Other way to path?
Comments
1. By Brad () brad at comstyle dot com on 2003-09-16 18:41 mailto:brad at comstyle dot com
  
  It is now. Make sure you're using 3.7.1.
  Comments
  1. By Anonymous Coward () on 2003-09-17 04:58
    
    Thanks!!!
By netchan () deadly@netchan.cotse.net on 2003-09-16 16:05 mailto:deadly@netchan.cotse.net

This simple question is still unclear for me. Is OpenBSD 3.2, 3.3 affected by this vulnerability? There's no new advisory on errata.html.

netchan
Comments
1. By Nate () on 2003-09-16 17:03
  
  The way I read it OpenBSDs from 2.6 to 3.3 all share this vulnerability.
  
  It may well be that this problem exists in ossh.
  
  I've not read enough to know for sure if it's that old or if it was introduced with the various improvments the Open team brought to the code.
  Comments
  1. By Anonymous Coward () on 2003-09-16 18:25
    
    It's that old ... appears to be in tatu's original code and not introduced by OpenBSD.

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (10)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]