SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   OpenSSH Vendors:   OpenSSH.org
(Caldera Issues Fix for Caldera Linux) Re: OpenSSH Off-by-one 'Channels' Bug May Let Authorized Remote Users Execute Arbitrary Code with Root Privileges
SecurityTracker Alert ID:  1003925
SecurityTracker URL:  http://securitytracker.com/id/1003925
CVE Reference:   CVE-2002-0083   (Links to External Site)
Date:  Mar 29 2002
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 3.1
Description:   A remotely exploitable vulnerability has been reported in OpenSSH. An authorized remote user may be able to execute arbitrary code on the server with root privileges. Also, a server may be able to cause the ssh client to execute arbitrary code.

An off-by-one error has been reported in the OpenSSH code (channels.c) that manages multiplexed channels. A remote user may be able to reference a memory location beyond that allocated for channels.

It is reported that a valid and authorized remote user may be able to cause sshd to execute arbitrary code with superuser privileges. It is also reported that a remote ssh server may be able to execute arbitrary code on any ssh clients that connect to the server.

This bug was discovered by Joost Pol.

Impact:   A valid remote user may be able to cause arbitrary code to be executed with root privileges on the server. This appears to only be an issue if you have remote non-root users accessing your server.

A malicious ssh server may be able to cause arbitrary code to be executed on an OpenSSH client that connects to the server.

Solution:   The vendor has released a fix.

For OpenLinux 3.1 Server:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS

The corresponding source code package can be found at:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

The verification checksum is:

f628846edca7e40cebf0174d4a02abb9 RPMS/openssh-2.9p2-5.i386.rpm

Upgrade the affected packages with the following commands:

rpm -Fvh openssh-2.9p2-5.i386.rpm


For OpenLinux 3.1 Workstation:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS

The corresponding source code package can be found at:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS

The verification checksum is:

f628846edca7e40cebf0174d4a02abb9 RPMS/openssh-2.9p2-5.i386.rpm

Upgrade the affected packages with the following commands:

rpm -Fvh openssh-2.9p2-5.i386.rpm


For OpenLinux 3.1.1 Server:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS

The corresponding source code package can be found at:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS

The verification checksum is:

523a21268ec04feb84feaf8a8b41bb3c RPMS/openssh-2.9.9p2-3.i386.rpm

Upgrade the affected packages with the following commands:

rpm -Fvh openssh-2.9.9p2-3.i386.rpm


For OpenLinux 3.1.1 Workstation:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS

The corresponding source code package can be found at:

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS

The verification checksum is:

523a21268ec04feb84feaf8a8b41bb3c RPMS/openssh-2.9.9p2-3.i386.rpm

Upgrade the affected packages with the following commands:

rpm -Fvh openssh-2.9.9p2-3.i386.rpm

Vendor URL:  www.openssh.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Caldera/SCO)

Message History:   This archive entry is a follow-up to the message listed below.
Mar 7 2002 OpenSSH Off-by-one 'Channels' Bug May Let Authorized Remote Users Execute Arbitrary Code with Root Privileges



 Source Message Contents

Subject:  Security Update: [CSSA-2002-012.0] Linux: OpenSSH channel code vulnerability


--EgVrEAR5UttbsTXg
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: 8bit            

To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com

______________________________________________________________________________
		   Caldera International, Inc.  Security Advisory

Subject:		Linux: OpenSSH channel code vulnerability
Advisory number: 	CSSA-2002-012.0
Issue date: 		2002, March 28
Cross reference:
______________________________________________________________________________


1. Problem Description

   A bug exists in the channel code of OpenSSH versions 2.0 though 3.0.2.
   Existing users can use this bug to gain root privileges. The ability
   to exploit this vulnerability without an existing user account has not
   yet been proven, but it is considered possible. A malicious ssh server
   could also use this bug to exploit a connecting vulnerable client.


2. Vulnerable Supported Versions

   System                       Package
   -----------------------------------------------------------
   OpenLinux Server 3.1          All packages previous to      
                                 openssh-2.9p2                 
   
   OpenLinux Workstation 3.1     All packages previous to      
                                 openssh-2.9p2                 
   
   OpenLinux Server 3.1.1        All packages previous to      
                                 openssh-2.9.9p2               
   
   OpenLinux Workstation         All packages previous to      
   3.1.1                         openssh-2.9.9p2               
   


3. Solution

   Workaround

     none

   The proper solution is to upgrade to the latest packages.


4. OpenLinux 3.1 Server

    4.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

   4.2 Verification

       f628846edca7e40cebf0174d4a02abb9  RPMS/openssh-2.9p2-5.i386.rpm
       
   4.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh openssh-2.9p2-5.i386.rpm
         

5. OpenLinux 3.1 Workstation

    5.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS

   5.2 Verification

       f628846edca7e40cebf0174d4a02abb9  RPMS/openssh-2.9p2-5.i386.rpm
       
   5.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh openssh-2.9p2-5.i386.rpm
         

6. OpenLinux 3.1.1 Server

    6.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS

   6.2 Verification

       523a21268ec04feb84feaf8a8b41bb3c  RPMS/openssh-2.9.9p2-3.i386.rpm
       
   6.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh openssh-2.9.9p2-3.i386.rpm
         

7. OpenLinux 3.1.1 Workstation

    7.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS

   7.2 Verification

       523a21268ec04feb84feaf8a8b41bb3c  RPMS/openssh-2.9.9p2-3.i386.rpm
       
   7.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh openssh-2.9.9p2-3.i386.rpm
         


8. References

   Specific references for this advisory:

	none


   Caldera OpenLinux security resources:

	http://www.caldera.com/support/security/index.html

   Caldera UNIX security resources:

	http://stage.caldera.com/support/security/



   This security fix closes Caldera incidents sr861333, fz520313,
   erg711982.


9. Disclaimer

   Caldera International, Inc. is   not responsible for the  misuse of
   any  of the information we provide  on  this website and/or through
   our security  advisories.  Our  advisories  are  a  service to  our
   customers  intended to  promote  secure  installation  and use   of
   Caldera International products.


10. Acknowledgements

   Joost Pol <joost@pine.nl> discovered and researched this vulnerability.
______________________________________________________________________________

--EgVrEAR5UttbsTXg
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjykxucACgkQbluZssSXDTEoQgCeLDNK8rwOMbsTXbkWFDTELBSj
5sEAoNTYsFidhlmjixORdQClbJmODc8l
=Mj7n
-----END PGP SIGNATURE-----

--EgVrEAR5UttbsTXg--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC