8107463 2002-03-07 13:25 +0000 /13 rader/ Joost Pol <joost@pine.nl>
Sänt av: joel@lysator.liu.se
Importerad: 2002-03-07 18:41 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: vulnwatch@vulnwatch.org
Mottagare: Bugtraq (import) <21310>
Ärende: [PINE-CERT-20020301] OpenSSH off-by-one
------------------------------------------------------------
From: Joost Pol <joost@pine.nl>
To: bugtraq@securityfocus.com
Cc: vulnwatch@vulnwatch.org
Message-ID: <20020307132520.A5010@badcoding.org>
See attached advisory.
--
Joost Pol alias 'Nohican' <joost@pine.nl> PGP 584619BD
PGP fingerprint B1FA EE66 CFAA A492 D5F8 9A8A 0CDA D2CA 5846 19BD
PINE Internet BV - Tel +31-50-5731111 - Fax +31-70-3111011
(8107463) /Joost Pol <joost@pine.nl>/---------------
Bilaga (text/plain) i text 8107464
Kommentar i text 8113043 av Florin Andrei <florin@sgi.com>
8107464 2002-03-07 13:25 +0000 /65 rader/ Joost Pol <joost@pine.nl>
Importerad: 2002-03-07 18:41 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: vulnwatch@vulnwatch.org
Mottagare: Bugtraq (import) <21311>
Bilaga (text/plain) till text 8107463
Ärende: Bilaga till: [PINE-CERT-20020301] OpenSSH off-by-one
------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -----------------------------------------------------------------------------
Pine Internet Security Advisory
- -----------------------------------------------------------------------------
Advisory ID : PINE-CERT-20020301
Authors : Joost Pol <joost@pine.nl>
Issue date : 2002-03-07
Application : OpenSSH
Version(s) : All versions between 2.0 and 3.0.2
Platforms : multiple
Vendor informed : 20020304
Availability : http://www.pine.nl/advisories/pine-cert-20020301.txt
- -----------------------------------------------------------------------------
Synopsis
A bug exists in the channel code of OpenSSH versions 2.0 -
3.0.2
Users with an existing user account can abuse this bug to
gain root privileges. Exploitability without an existing
user account has not been proven but is not considered
impossible. A malicious ssh server could also use this bug
to exploit a connecting vulnerable client.
Impact
HIGH: Existing users will gain root privileges.
Description
Simple off by one error. Patch included.
Solution
The OpenSSH project will shortly release version 3.1.
Upgrading to this version is highly recommended.
This version will be made available at http://www.openssh.com
The FreeBSD port of OpenSSH has been updated to reflect the
patches as supplied in this document.
OpenSSH CVS has been updated, see
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/ \
channels.c.diff?r1=1.170&r2=1.171
Or apply the attached patch as provided by PINE Internet:
http://www.pine.nl/advisories/pine-cert-20020301.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjyHaKkACgkQDNrSylhGGb3p2ACfXZu3WShzGT4Mp/LgwA6AZStu
rtkAn3O83WzyNijdJ9+9OwLJxUcVj4Ld
=j+Hz
-----END PGP SIGNATURE-----
(8107464) /Joost Pol <joost@pine.nl>/-----(Ombruten)
8113043 2002-03-07 16:45 -0800 /17 rader/ Florin Andrei <florin@sgi.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-03-08 19:21 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <21322>
Kommentar till text 8107463 av Joost Pol <joost@pine.nl>
Ärende: Re: [PINE-CERT-20020301] OpenSSH off-by-one
------------------------------------------------------------
From: Florin Andrei <florin@sgi.com>
To: bugtraq@securityfocus.com
Message-ID: <1015548348.24490.98.camel@stantz.corp.sgi.com>
On Thu, 2002-03-07 at 05:25, Joost Pol wrote:
>
> A bug exists in the channel code of OpenSSH versions 2.0 - 3.0.2
Does anyone knows which versions of the commercial SSH (if any) are
vulnerable?
--
Florin Andrei
If you're not googleable, you don't exist.
(8113043) /Florin Andrei <florin@sgi.com>/----------
Kommentar i text 8114039 av Attila Nagy <bra@fsn.hu>
8114039 2002-03-08 20:50 +0100 /42 rader/ Attila Nagy <bra@fsn.hu>
Sänt av: joel@lysator.liu.se
Importerad: 2002-03-09 01:06 av Brevbäraren
Extern mottagare: Florin Andrei <florin@sgi.com>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <21334>
Kommentar till text 8113043 av Florin Andrei <florin@sgi.com>
Ärende: Re: [PINE-CERT-20020301] OpenSSH off-by-one
------------------------------------------------------------
From: Attila Nagy <bra@fsn.hu>
To: Florin Andrei <florin@sgi.com>
Cc: bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.44.0203082031250.12207-100000@scribble.fsn.hu>
Hello,
> Does anyone knows which versions of the commercial SSH (if any) are
> vulnerable?
The diff between the vulnerable version and the good one is:
- if (id < 0 || id > channels_alloc) {
+ if (id < 0 || id >= channels_alloc) {
The function channel_lookup appeared in channels.c on Tue Mar 28
20:31:25 2000 UTC, 23 months, 1 week ago in this form:
+ if (id < 0 && id > channels_alloc) {
+ log("channel_lookup: %d: bad id", id);
See
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/channels.c.diff?r1=1.40&r2=1.41
for the diff.
Then on Sun Jun 25 20:17:57 2000 UTC, 20 months, 1 week ago the above
line changed:
- if (id < 0 && id > channels_alloc) {
+ if (id < 0 || id > channels_alloc) {
See
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/channels.c.diff?r1=1.62&r2=1.63
for the diff.
In ssh.com's 3.1.0 there is no channels.c, or channels_alloc so I think
this bug does not affect that (or not exactly the same way as in OpenSSH
:).
--------------------------------------------------------------------------
Attila Nagy e-mail: Attila.Nagy@fsn.hu
Budapest Polytechnic (BMF.HU) @work: +361 210 1415 (194)
H-1084 Budapest, Tavaszmezo u. 15-17. cell.: +3630 306 6758
(8114039) /Attila Nagy <bra@fsn.hu>/------(Ombruten)