OpenSSH Off-by-one 'Channels' Bug May Let Authorized Remote Users Execute Arbitrary Code with Root Privileges
|
|
SecurityTracker Alert ID: 1003758 |
|
SecurityTracker URL: http://securitytracker.com/id/1003758
|
|
CVE Reference:
CAN-2002-0083
(Links to External Site)
|
Updated: Nov 26 2003
|
Original Entry Date: Mar 7 2002
|
Impact:
Execution of arbitrary code via network, Root access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 3.1
|
Description:
A remotely exploitable vulnerability has been reported in OpenSSH. An authorized remote user may be able to execute arbitrary code on the server with root privileges. Also, a server may be able to cause the ssh client to execute arbitrary code.
An off-by-one error has been reported in the OpenSSH code (channels.c) that manages multiplexed channels. A remote user may be able to reference a memory location beyond that allocated for channels.
It is reported that a valid and authorized remote user may be able to cause sshd to execute arbitrary code with superuser privileges. It is also reported that a remote ssh server may be able to execute arbitrary code on any ssh clients that connect to the server.
This bug was discovered by Joost Pol.
|
Impact:
A valid remote user may be able to cause arbitrary code to be executed with root privileges on the server. This appears to only be an issue if you have remote non-root users accessing your server.
A malicious ssh server may be able to cause arbitrary code to be executed on an OpenSSH client that connects to the server.
|
Solution:
The vendor has released a fixed version (openssh-3.1), available at:
http://www.openssh.org/
|
Vendor URL: www.openssh.org/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 7 Mar 2002 06:59:50 -0800 (PST)
Subject: FreeBSD Security Advisory FreeBSD-SA-02:13.openssh
|
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-02:13 Security Advisory
FreeBSD, Inc.
Topic: OpenSSH contains exploitable off-by-one bug
Category: core, ports
Module: openssh, ports_openssh, openssh-portable
Announced: 2002-03-07
Credits: Joost Pol <joost@pine.nl>
Affects: FreeBSD 4.4-RELEASE, 4.5-RELEASE
FreeBSD 4.5-STABLE prior to the correction date
openssh port prior to openssh-3.0.2_1
openssh-portable port prior to openssh-portable-3.0.2p1_1
Corrected: 2002-03-06 13:57:54 UTC (RELENG_4)
2002-03-07 14:40:56 UTC (RELENG_4_5)
2002-03-07 14:40:07 UTC (RELENG_4_4)
2002-03-06 13:53:38 UTC (ports/security/openssh)
2002-03-06 13:53:39 UTC (ports/security/openssh-portable)
CVE: CAN-2002-0083
FreeBSD only: NO
I. Background
OpenSSH is a free version of the SSH protocol suite of network
connectivity tools. OpenSSH encrypts all traffic (including
passwords) to effectively eliminate eavesdropping, connection
hijacking, and other network-level attacks. Additionally, OpenSSH
provides a myriad of secure tunneling capabilities, as well as a
variety of authentication methods. `ssh' is the client application,
while `sshd' is the server.
II. Problem Description
OpenSSH multiplexes `channels' over a single TCP connection in order
to implement X11, TCP, and agent forwarding. An off-by-one error in
the code which manages channels can result in a reference to memory
beyond that allocated for channels. A malicious client or server may
be able to influence the contents of the memory so referenced.
III. Impact
An authorized remote user (i.e. a user that can successfully
authenticate on the target system) may be able to cause sshd to
execute arbitrary code with superuser privileges.
A malicious server may be able to cause a connecting ssh client to
execute arbitrary code with the privileges of the client user.
IV. Workaround
Do one of the following:
1) The FreeBSD malloc implementation can be configured to overwrite
or `junk' memory that is returned to the malloc arena. Due to the
details of exploiting this bug, configuring malloc to junk memory
will thwart the attack.
To configure a FreeBSD system to junk memory, execute the following
commands as root:
# ln -fs J /etc/malloc.conf
Note that this option will degrade system performance. See the
malloc(3) man page for full details on malloc options.
2) Disable the base system sshd by executing the following command as
root:
# kill `cat /var/run/sshd.pid`
Be sure that sshd is not restarted when the system is restarted
by adding the following line to the end of /etc/rc.conf:
sshd_enable="NO"
AND
Deinstall the openssh or openssh-portable ports if you have one of
them installed.
V. Solution
Do one of the following:
[For OpenSSH included in the base system]
1) Upgrade the vulnerable system to 4.4-RELEASEp9, 4.5-RELEASEp2,
or 4.5-STABLE after the correction date and rebuild.
2) FreeBSD 4.x systems prior to the correction date:
The following patch has been verified to apply to FreeBSD 4.4-RELEASE,
4.5-RELEASE, and 4.5-STABLE dated prior to the correction date. It
may or may not apply to older, unsupported versions of FreeBSD.
Download the patch and the detached PGP signature from the following
locations, and verify the signature using your PGP utility.
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:13/openssh.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:13/openssh.patch.asc
Execute the following commands as root:
# cd /usr/src
# patch < /path/to/sshd.patch
# cd /usr/src/secure/lib/libssh
# make depend && make all
# cd /usr/src/secure/usr.sbin/sshd
# make depend && make all install
# cd /usr/src/secure/usr.bin/ssh
# make depend && make all install
[For the OpenSSH ports]
One of the following:
1) Upgrade your entire ports collection and rebuild the OpenSSH port.
2) Deinstall the old package and install a new package obtained from
the following directory:
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/
[other platforms]
Packages are not automatically generated for other platforms at this
time due to lack of build resources.
3) Download a new port skeleton for the openssh or openssh-portable
port from:
http://www.freebsd.org/ports/
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in the FreeBSD ports collection.
Path Revision
Branch
- -------------------------------------------------------------------------
[Base system]
src/crypto/openssh/channels.c
HEAD 1.8
RELENG_4 1.1.1.1.2.6
RELENG_4_5 1.1.1.1.2.5.2.1
RELENG_4_4 1.1.1.1.2.4.4.1
src/crypto/openssh/version.h
HEAD 1.10
RELENG_4 1.1.1.1.2.8
RELENG_4_5 1.1.1.1.2.7.2.1
RELENG_4_4 1.1.1.1.2.5.2.2
src/sys/conf/newvers.sh
RELENG_4_5 1.44.2.20.2.3
RELENG_4_4 1.44.2.17.2.8
[Ports]
ports/security/openssh/Makefile 1.81
ports/security/openssh/files/patch-channels.c 1.1
ports/security/openssh-portable/Makefile 1.21
ports/security/openssh-portable/files/patch-channels.c 1.1
- -------------------------------------------------------------------------
Branch Version string
- -------------------------------------------------------------------------
HEAD OpenSSH_2.9 FreeBSD localisations 20020307
RELENG_4 OpenSSH_2.9 FreeBSD localisations 20020307
RELENG_4_5 OpenSSH_2.9 FreeBSD localisations 20020307
RELENG_4_4 OpenSSH_2.3.0 FreeBSD localisations 20020307
- -------------------------------------------------------------------------
To view the version string of the OpenSSH server, execute the
following command:
% /usr/sbin/sshd -\?
The version string is also displayed when a client connects to the
server.
To view the version string of the OpenSSH client, execute the
following command:
% /usr/bin/ssh -V
VII. References
<URL:http://www.pine.nl/advisories/pine-cert-20020301.txt>
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0083 to this issue.
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0083>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBPId+x1UuHi5z0oilAQGvpAP+NDgcpdZAo8aB2ptAbbS7h3MzJULCnPlN
BqnQ+AylR8HTcPt7XduF6Sh8KSpu75Y5uCJcrNvAoF2jmnH3DFa79GY4hEj7VvCl
DiAzN3bwcTFBAPWSNaCXK6odyqCjumMOL3drgtibuMHZuQSKn5ZOvNKquVSXuaY+
86MXQwGukUU=
=csOr
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
|
|
