SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   OpenSSH Vendors:   OpenSSH.org
(OpenBSD Issues Revised Fix) OpenSSH buffer_append_space() Error May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1007729
SecurityTracker URL:  http://securitytracker.com/id/1007729
CVE Reference:   CVE-2003-0693, CVE-2003-0695, CVE-2003-0682   (Links to External Site)
Updated:  Dec 8 2003
Original Entry Date:  Sep 17 2003
Impact:   Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.7 and prior versions
Description:   Several buffer management vulnerabilities were reported in OpenSSH. A remote user may be able to execute arbitrary code on the target system.

It is reported that there are potentially exploitable buffer management errors in OpenSSH in the buffer_append_space(), buffer_init(), and buffer_free() functions in 'buffer.c'. A similiar flaw resides in 'channels.c', the report said. (CVE-2003-0693 and CVE-2003-0695). The flaws affect version 3.7 and prior versions. The vendor reports that it is not certain if these flaws are exploitable or not.

Solar Designer has reportedly identified four additional similar bugs as the result of a review of the OpenSSH 3.6.1p2 source code for potentially incorrect uses of *realloc(). According to Solar Designer, two of the bugs are in 'sshd'. Of those two bugs, one reportedly cannot be triggered in the current code, and the other occurs after the authentication process. Solar Designer believes that none of the four bugs should give an unauthenticated shell via sshd, not even in cases where 'privsep' is not used. CVE has assigned CVE-2003-0682 to these four bugs. These four bugs have *not* been fixed in version 3.7.1, but have been fixed in the OpenBSD CVS and will be included in the next release of OpenSSH. These four additional bugs are reportedly not considered to present a security risk.

Impact:   The report indicated that it is not known whether the flaws are exploitable. If exploitable, a remote user may be able to execute arbitrary code. The report did not indicate what privileges the code would execute with and whether or not privilege separation provides protection against possible root exploitation.
Solution:   OpenBSD has released a revised fix for both the 3.2 and 3.3 -stable branches to reflect OpenSSH version 3.7.1. A new patch is now available:

Patch for OpenBSD 3.2:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/017_sshbuffer.patch

Patch for OpenBSD 3.3:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/004_sshbuffer.patch

Vendor URL:  www.openssh.com/txt/buffer.adv (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (OpenBSD)
Underlying OS Comments:  3.2, 3.3

Message History:   This archive entry is a follow-up to the message listed below.
Sep 16 2003 OpenSSH buffer_append_space() and Other Buffer Management Errors May Let Remote Users Execute Arbitrary Code



 Source Message Contents

Subject:  Re: OpenSSH Security Advisory: buffer.adv


Both the 3.2 and 3.3 -stable branches have been updated to OpenSSH 3.7.1.
A new revision of the sshbuffer patch is now available that supercedes
the first version.

Patch for OpenBSD 3.2:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/017_sshbuffer.patch

Patch for OpenBSD 3.3:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/004_sshbuffer.patch

The new version of the patch begins with the following line:
    NOTE: this is the second revision of this patch



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC