Date: Mon, 6 Jan 2003 12:00:55 -0800 (PST) From: twig les <twigles@yahoo.com> To: Mike Tancsa <mike@sentex.net>, freebsd-security@freebsd.org Subject: Re: Fwd: OPENSSH REMOTE ROOT COMPROMISE ALL VERSIONS Message-ID: <20030106200055.85752.qmail@web10108.mail.yahoo.com> In-Reply-To: <5.2.0.9.0.20030106130825.04a3e0f8@marble.sentex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
I didn't see anything about a patch on the openssh.org site but I may have missed it, any word? Was the team even notified before the posting (posting has a gleeful tone about it). --- Mike Tancsa <mike@sentex.net> wrote: > > FYI, for those not on bugtraq. > > ---Mike > > >Mailing-List: contact > bugtraq-help@securityfocus.com; run by ezmlm > >List-Id: <bugtraq.list-id.securityfocus.com> > >List-Post: <mailto:bugtraq@securityfocus.com> > >List-Help: <mailto:bugtraq-help@securityfocus.com> > >List-Unsubscribe: > <mailto:bugtraq-unsubscribe@securityfocus.com> > >List-Subscribe: > <mailto:bugtraq-subscribe@securityfocus.com> > >Delivered-To: mailing list > bugtraq@securityfocus.com > >Delivered-To: moderator for > bugtraq@securityfocus.com > >Date: Sat, 4 Jan 2003 19:37:03 -0800 > >To: bugtraq@securityfocus.com > >Subject: OPENSSH REMOTE ROOT COMPROMISE ALL > VERSIONS > >From: mmhs@hushmail.com > >X-Spam-Status: No, hits=4.7 required=7.0 > > > tests=CASHCASHCASH,DISCLAIMER,KNOWN_MAILING_LIST, > > > LINES_OF_YELLING,LINES_OF_YELLING_2,LINES_OF_YELLING_3, > > > NO_REAL_NAME,PGP_SIGNATURE,SPAM_PHRASE_01_02,SUBJ_ALL_CAPS > > version=2.43 > >X-Spam-Level: **** > >X-Virus-Scanned: By Sentex Communications > (avscan1/20020517) > > > > > >-----BEGIN PGP SIGNED MESSAGE----- > > > >*********** OPENSSH REMOTE ROOT COMPROMISE ALL > VERSIONS *********** > > > >MICKEY MOUSE HACKING SQUADRON ADVISORY #2 > > > >DISCLAIMER > >- ---------- > > > >The nation's zeroth private security intelligence > firm, Mickey Mouse > >Hacking Squadron uniquely addresses the challenges > faced by both public- > >and private-sector organizations in protecting > critical information > >assets. > > > >Our intelligence is timely, delivered 24 x 7, 365 > (*) days per year; > >relevant, fully customizable, and actionable > intelligence is only > >valuable if it makes a difference. > > > >(*) in the case of a leap year, we of course > provide a 24 x 7, 366 days > >premier service. > > > >TECHNICAL BACKGROUND > >- -------------------- > > > >The following advisory is based on the excellent > advisory published by > >Global InterSec LLC *six months ago*: > > > >http://www.globalintersec.com/adv/openssh-2002062801.txt > > > >After more than six months of intensive underground > research, our ISO > >31337 certified security department evidenced that > the bug (an integer > >overflow, resulting in a heap overflow) described > in the aforementioned > >advisory still exists in OpenSSH 3.5p1 and 3.4p1, > and remains trivially > >exploitable. All existing PAM enabled versions of > OpenSSH (3.5p1, 3.4p1 > >and below) are therefore affected. > > > >Due to various advisories posted to various fora by > unnamed security > >companies, this bug was supposed to be nonexistent > or nonexploitable. > >Fortunately, Global InterSec LLC shed some light on > the whole affair and > >revealed the malignant nature of the oversight to > the world. > > > >Their results were applied to the latest OpenSSH > versions by privately > >trained Mickey Mouse Hacking Squadron security > specialists and revealed > >that the exploitation techniques developed by > Global InterSec LLC are > >still applicable to the newest OpenSSH. > > > >PROOF OF CONCEPT > >- ---------------- > > > >The following proof of concept is reproducing > Global InterSec LLC > >findings, enhanced with the patented research > performed by Mickey Mouse > >Hacking Squadron against OpenSSH 3.5p1. > > > >First of all, the OpenSSH 3.5p1 server has to be > built (with PAM support > >enabled): > > > >$ tar xzf openssh-3.5p1.tar.gz > >$ cd openssh-3.5p1 > >$ configure --with-pam > >[...] > >$ make sshd > >[...] > > > >Before the SSH server is actually executed, the > sshd_config file should > >be modified in order to enable PAM > ("PAMAuthenticationViaKbdInt yes"). > > > ># sshd > > > >In order to reveal the nature of the OpenSSH > vulnerability, the next > >step is to connect to the SSH server: > > > >$ ssh werewolf.research.mmhs.com > >Password: > > > >Thanks to the "Password:" prompt, it is clear that > PAM is actually > >enabled (otherwise, the prompt would have been > "user@host's password:"). > >This unique fingerprinting technique was > investigated by Mickey Mouse > >Hacking Squadron, and is already present in the > latest version of the > >Mickey Mouse Hacking Squadron award winning network > vulnerability > >assessment tool. > > > >After the previous command was executed, the > freshly spawned sshd > >process has to be examined with a debugger, in > order to set the correct > >breakpoints within the > input_userauth_info_response_pam() function of > >OpenSSH, as demonstrated in the Global InterSec LLC > advisory: > > > ># gdb sshd 6552 > >(gdb) disassemble input_userauth_info_response_pam > >[...] > >0x80531bc <input_userauth_info_response_pam+192>: > push %esi > >0x80531bd <input_userauth_info_response_pam+193>: > > call 0x807306c <xfree> > >[...] > >(gdb) break *0x80531bd > >Breakpoint 1 at 0x80531bd: file auth2-pam.c, line > 158. > >(gdb) continue > >Continuing. > > > >Now that the buggy call to xfree() can be > intercepted, the SSH client > >should trigger the integer overlow and the > resulting heap overflow: > > > >$ ssh werewolf.research.mmhs.com > >Password: <type a thousand 'A' characters here and > hit enter> > > > >After that, the xfree() breakpoint is reached, and > the next call to > >free() should therefore be intercepted in order to > comply with the > >technique developed by Global InterSec LLC: > > > >Breakpoint 1, 0x080531bd in > input_userauth_info_response_pam (type=61, > > seqnr=7, ctxt=0x809c050) at auth2-pam.c:158 > >158 xfree(resp); > >(gdb) disassemble xfree > >[...] > >0x807308e <xfree+34>: call 0x804ba14 <free> > >[...] > >(gdb) break *0x807308e > >Breakpoint 2 at 0x807308e: file xmalloc.c, line 55. > >(gdb) continue > >Continuing. > > > >Breakpoint 2, 0x0807308e in xfree (ptr=0x809dfb8) > at xmalloc.c:55 > === message truncated === ===== ----------------------------------------------------------- If you give a man a fish, he can eat for a day If you bludgeon him to death, you can eat the fish yourself ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030106200055.85752.qmail>