SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Security)  >   OpenSSH Vendors:   OpenSSH.org
OpenSSH Integer Overflow and Buffer Overflow May Allow Remote Users to Gain Root Access to the System
SecurityTracker Alert ID:  1004616
SecurityTracker URL:  http://securitytracker.com/id/1004616
CVE Reference:   CAN-2002-0639, CAN-2002-0640   (Links to External Site)
Updated:  Jul 1 2002
Original Entry Date:  Jun 24 2002
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.3.1 - 3.3
Description:   Two vulnerabilities were reported in the OpenSSH implementation of the Secure Shell SSH protocol. A remote user can obtain root access on the system in certain configurations.

ISS originally reported that a buffer overflow vulnerability exists within the "challenge-response" authentication mechanism in the OpenSSH daemon (sshd). It has since been clarified that there are two separate but related vulnerabilities that occur in processing challenge responses.

One vulnerability is an integer overflow in the processing of the number of responses received during challenge response authentication. If the server is configured for challenge response authentication *and* the system is using SKEY or BSD_AUTH authentication, the system may be vulnerable. A remote user can send a specially-crafted reply to cause the daemon to crash or to execute arbitrary code with root privileges. This flaw is reported to be present in version 2.9.9 through 3.3.

The other vulnerability is a buffer overflow in the processing of the number of responses received during challenge response authentication. If the server is using using PAM modules that use interactive keyboard authentication (PAMAuthenticationViaKbdInt), the system may be vulnerable (however, this apparently has not been confirmed). This flaw is reported to be present in versoin 2.3.1 through 3.3.
Impact:   A remote user can obtain root level access on the system, under certain system configurations.
Solution:   The vendor has released a fixed version (3.4), available at:

http://www.openssh.org/

As a workaround, administrators can disable ChallengeResponseAuthentication in sshd_config and disable PAMAuthenticationViaKbdInt in sshd_config.

The vendor also notes that users can prevent privilege escalation by enabling UsePrivilegeSeparation in sshd_config.
Vendor URL:  www.openssh.org/ (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Issues Statement) Unspecified Vulnerability is Reported in OpenSSH That May Allow Remote Users to Gain Root Access to the System   (Theo de Raadt <deraadt@cvs.openbsd.org>)
The vendor has released a statment.
(Fix is Available; Also, ISS Issues Advisory With Details) Re: Unspecified Vulnerability is Reported in OpenSSH That May Allow Remote Users to Gain Root Access to the System   (X-Force <xforce@iss.net>)
ISS has provided details of the vulnerability. Also, a fix is now available.
(Sun Confirms Flaw and Issues Interim Statement) Re: OpenSSH Integer Overflow and Buffer Overflow May Allow Remote Users to Gain Root Access to the System   (Darren J Moffat <Darren.Moffat@Sun.COM>)
Sun confirms vulnerability and issues interim guidance while an official Sun security bulletin is prepared.
(Slackware Issues Fix) OpenSSH Integer Overflow and Buffer Overflow May Allow Remote Users to Gain Root Access to the System   (Slackware Security Team <security@slackware.com>)
Slackware has released a fix.
(Debian Issues Fix) OpenSSH Integer Overflow and Buffer Overflow May Allow Remote Users to Gain Root Access to the System   (Michael Stone <mstone@satie.debian.org>)
Debian has released a fix.
(Conectiva Issues Fix) OpenSSH Integer Overflow and Buffer Overflow May Allow Remote Users to Gain Root Access to the System   (secure@conectiva.com.br)
Conectiva has released a fix.
(NetBSD Issues Fix) Re: OpenSSH Integer Overflow and Buffer Overflow May Allow Remote Users to Gain Root Access to the System   (NetBSD Security Officer <security-officer@netbsd.org>)
NetBSD has issued a fix.
(SuSE Issues Fix) OpenSSH Integer Overflow and Buffer Overflow May Allow Remote Users to Gain Root Access to the System   (Roman Drahtmueller <draht@suse.de>)
SuSE has released a fix.
(Engarde Issues Fix) OpenSSH Integer Overflow and Buffer Overflow May Allow Remote Users to Gain Root Access to the System   (engarde-announce-admins@guardiandigital.com)
EnGarde has released a fix.
(Sun Issues Workaround) Re: OpenSSH Integer Overflow and Buffer Overflow May Allow Remote Users to Gain Root Access to the System
Sun has issued a workaround.
(Sun Issues Workaround for Cobalt RaQ 550) Re: OpenSSH Integer Overflow and Buffer Overflow May Allow Remote Users to Gain Root Access to the System
Sun has issued a workaround for Cobalt RaQ 550.
(Mandrake Issues Fix) OpenSSH Integer Overflow and Buffer Overflow May Allow Remote Users to Gain Root Access to the System   (Mandrake Linux Security Team <security@linux-mandrake.com>)
Mandrake has released a fix.
(HP Issues Workaround for HP-UX) OpenSSH Integer Overflow and Buffer Overflow May Allow Remote Users to Gain Root Access to the System   (support_feedback@us-support-mail.external.hp.com (IT Resource Center ))
HP has described a workaround.
(Apple Issues Fix) Re: OpenSSH Integer Overflow and Buffer Overflow May Allow Remote Users to Gain Root Access to the System
Apple issues fix for Mac OS X.
(FreeBSD Issues Fix) OpenSSH Integer Overflow and Buffer Overflow May Allow Remote Users to Gain Root Access to the System   (FreeBSD Security Advisories <security-advisories@FreeBSD.ORG>)
The vendor has released a fix.
(Fixed File May Be Trojaned) Re: OpenSSH Integer Overflow and Buffer Overflow May Allow Remote Users to Gain Root Access to the System   (Mikael Olsson <mikael.olsson@clavister.com>)
Some versions of OpenSSH may have been trojaned.
(HP Issues Fix) OpenSSH Integer Overflow and Buffer Overflow May Allow Remote Users to Gain Root Access to the System   (support_feedback@us-support-mail.external.hp.com (IT Resource Center ))
HP has released a revised fix.
Re: OpenSSH Integer Overflow and Buffer Overflow May Allow Remote Users to Gain Root Access to the System   (mmhs@hushmail.com)
The flaw still exists, according to the report. [Editor's note: Global InterSec Research has stated that this new report is a fake report.]


 Source Message Contents
Date:  Mon, 24 Jun 2002 23:56:04 +0200
Subject:  [SECURITY] [DSA-134-1] OpenSSH remote vulnerability


-----BEGIN PGP SIGNED MESSAGE-----

- ------------------------------------------------------------------------
Debian Security Advisory DSA-134-1                   security@debian.org
http://www.debian.org/security/                         Wichert Akkerman
June 24, 2002
- ------------------------------------------------------------------------


Package        : ssh
Problem type   : remote exploit
Debian-specific: no

Theo de Raadt announced that the OpenBSD team is working with ISS
on a remote exploit for OpenSSH (a free implementation of the
Secure SHell protocol). They are refusing to provide any details on
the vulnerability but instead are advising everyone to upgrade to
the latest release, version 3.3.

This version was released 3 days ago and introduced a new feature
to reduce the effect of exploits in the network handling code
called privilege separation.  Unfortunately this release has a few
known problems: compression does not work on all operating systems
since the code relies on specific mmap features, and the PAM
support has not been completed. There may be other problems as
well.

The new privilege separation support from Niels Provos changes ssh
to use a separate non-privileged process to handle most of the
work. This means any vulnerability in this part of OpenSSH can
never lead to a root compromise but only to access to a separate
account restricted to a chroot.

Theo made it very clear this new version does not fix the
vulnerability, instead by using the new privilege separation code
it merely reduces the risk since the attacker can only gain access
to a special account restricted in a chroot.

Since details of the problem have not been released we were forced
to move to the latest release of OpenSSH portable, version 3.3p1.

Due to the short time frame we have had we have not been able to
update the ssh package for Debian GNU/Linux 2.2 / potato yet.
Packages for the upcoming 3.0 release (woody) are available for
most architectures.

Please note that we have not had the time to do proper QA on these
packages; they might contain bugs or break things unexpectedly. If
you notice any such problems please file a bug-report so we can
investigate.

This package introduce a new account called `sshd' that is used in
the privilege separation code. If no sshd account exists the
package will try to create one. If the account already exists it
will be re-used. If you do not want this to happen you will have
to fix this manually. 


wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.


Debian GNU/Linux 2.2 alias potato
- ---------------------------------

  Potato was released for alpha, arm, i386, m68k, powerpc and sparc.

  Package for potato are not available at the moment


Debian GNU/Linux 3.0 alias woody
- ---------------------------------

  Woody will be released for alpha, arm, hppa, i386, ia64, m68k, mips,
  mipsel, powerpc, s390 and sparc. Packages for m68k are not yet
  available at this moment.


  Source archives:

    http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1-0.0woody1.dsc
      Size/MD5 checksum:      751 2409524dc15e3de36ebfaa702c0311ea
    http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1.orig.tar.gz
      Size/MD5 checksum:   831189 226fdde5498c56288e777c7a697996e0
    http://security.debian.org/pool/updates/main/o/openssh/openssh_3.3p1-0.0woody1.diff.gz
      Size/MD5 checksum:    33009 4850f4a167cb515cc20301288e751e27

  alpha architecture (DEC Alpha)

    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_alpha.deb
      Size/MD5 checksum:   844556 7ef1518babcb185b5ef61fde2bd881c5
    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_alpha.deb
      Size/MD5 checksum:    33422 ba9145a70719500ba56940e79e2cba02

  arm architecture (Arm)

    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_arm.deb
      Size/MD5 checksum:   653454 4b6553ed08622525c6f22e7dc488f7c6
    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_arm.deb
      Size/MD5 checksum:    32636 902f862c07059cdccb2ece3147f66282

  hppa architecture (HP PA RISC)

    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_hppa.deb
      Size/MD5 checksum:    33008 cdc5abf35a41df56be4780e251d203e8
    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_hppa.deb
      Size/MD5 checksum:   750862 d66d8707a30787b9995f9716fdd97811

  i386 architecture (Intel ia32)

    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_i386.deb
      Size/MD5 checksum:   637940 c3743ca590e7efd74cb97d5be98456be
    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_i386.deb
      Size/MD5 checksum:    32928 d8a53753324406f2d9a386451e02e40d

  ia64 architecture (Intel ia64)

    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_ia64.deb
      Size/MD5 checksum:    34374 a7f36c83b84a5d4ade7a8ee992ca92da
    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_ia64.deb
      Size/MD5 checksum:   998018 ff8346cfbcba7e156f825de86c440455

  mips architecture (SGI MIPS)

    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_mips.deb
      Size/MD5 checksum:    32926 afc0d38e2c49eb7ef8de86a935509af3
    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_mips.deb
      Size/MD5 checksum:   725414 22b6bc8d5fcfa09ba9391ed98ccf0851

  mipsel architecture (SGI MIPS (Little Endian))

    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_mipsel.deb
      Size/MD5 checksum:    32894 71bc788f883eb7caf3262fe8b685dfd3
    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_mipsel.deb
      Size/MD5 checksum:   722364 2ee3bfe9bdaa28b41dd6aaa6407e2fc6

  powerpc architecture (PowerPC)

    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_powerpc.deb
      Size/MD5 checksum:    32658 7f7fa405891087d0da0c54e0fd516d02
    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_powerpc.deb
      Size/MD5 checksum:   676954 4471019ed9c792bbaf6422394d7bb77c

  s390 architecture (IBM S/390)

    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_s390.deb
      Size/MD5 checksum:    33274 81ff83437d47fba8c62351e249e70a2d
    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_s390.deb
      Size/MD5 checksum:   666304 05666b9eb24bfb76bcd3c194912da912

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_3.3p1-0.0woody1_sparc.deb
      Size/MD5 checksum:    32720 8f03b2b054e9fcf47ad826802e1a0192
    http://security.debian.org/pool/updates/main/o/openssh/ssh_3.3p1-0.0woody1_sparc.deb
      Size/MD5 checksum:   681598 2d1413a153f3e51fafaaee9a8ad4682b


- -- 
- ----------------------------------------------------------------------------
apt-get: deb http://security.debian.org/ stable/updates main
dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQB1AwUBPReVa6jZR/ntlUftAQGccgL/VYOsHzwOSyRqgFSBY/F+cj2iRZGe2oSH
+DbW7mcRPw6ZrSXKWfmFD6dfz47AhYoGWYLiW2PxBGtZfiwyYFmPJnbJG0y/FQcJ
/M/hEvloW2Ce7wbMAqz/zKcI06Nf7jA0
=Q+XM
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC