From owner-freebsd-security Mon Jan 6 12: 1: 3 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 433EB37B401 for ; Mon, 6 Jan 2003 12:00:56 -0800 (PST) Received: from web10108.mail.yahoo.com (web10108.mail.yahoo.com [216.136.130.58]) by mx1.FreeBSD.org (Postfix) with SMTP id D6B2543EB2 for ; Mon, 6 Jan 2003 12:00:55 -0800 (PST) (envelope-from twigles@yahoo.com) Message-ID: <20030106200055.85752.qmail@web10108.mail.yahoo.com> Received: from [68.5.49.41] by web10108.mail.yahoo.com via HTTP; Mon, 06 Jan 2003 12:00:55 PST Date: Mon, 6 Jan 2003 12:00:55 -0800 (PST) From: twig les Subject: Re: Fwd: OPENSSH REMOTE ROOT COMPROMISE ALL VERSIONS To: Mike Tancsa , freebsd-security@freebsd.org In-Reply-To: <5.2.0.9.0.20030106130825.04a3e0f8@marble.sentex.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I didn't see anything about a patch on the openssh.org site but I may have missed it, any word? Was the team even notified before the posting (posting has a gleeful tone about it). --- Mike Tancsa wrote: > > FYI, for those not on bugtraq. > > ---Mike > > >Mailing-List: contact > bugtraq-help@securityfocus.com; run by ezmlm > >List-Id: > >List-Post: > >List-Help: > >List-Unsubscribe: > > >List-Subscribe: > > >Delivered-To: mailing list > bugtraq@securityfocus.com > >Delivered-To: moderator for > bugtraq@securityfocus.com > >Date: Sat, 4 Jan 2003 19:37:03 -0800 > >To: bugtraq@securityfocus.com > >Subject: OPENSSH REMOTE ROOT COMPROMISE ALL > VERSIONS > >From: mmhs@hushmail.com > >X-Spam-Status: No, hits=4.7 required=7.0 > > > tests=CASHCASHCASH,DISCLAIMER,KNOWN_MAILING_LIST, > > > LINES_OF_YELLING,LINES_OF_YELLING_2,LINES_OF_YELLING_3, > > > NO_REAL_NAME,PGP_SIGNATURE,SPAM_PHRASE_01_02,SUBJ_ALL_CAPS > > version=2.43 > >X-Spam-Level: **** > >X-Virus-Scanned: By Sentex Communications > (avscan1/20020517) > > > > > >-----BEGIN PGP SIGNED MESSAGE----- > > > >*********** OPENSSH REMOTE ROOT COMPROMISE ALL > VERSIONS *********** > > > >MICKEY MOUSE HACKING SQUADRON ADVISORY #2 > > > >DISCLAIMER > >- ---------- > > > >The nation's zeroth private security intelligence > firm, Mickey Mouse > >Hacking Squadron uniquely addresses the challenges > faced by both public- > >and private-sector organizations in protecting > critical information > >assets. > > > >Our intelligence is timely, delivered 24 x 7, 365 > (*) days per year; > >relevant, fully customizable, and actionable > intelligence is only > >valuable if it makes a difference. > > > >(*) in the case of a leap year, we of course > provide a 24 x 7, 366 days > >premier service. > > > >TECHNICAL BACKGROUND > >- -------------------- > > > >The following advisory is based on the excellent > advisory published by > >Global InterSec LLC *six months ago*: > > > >http://www.globalintersec.com/adv/openssh-2002062801.txt > > > >After more than six months of intensive underground > research, our ISO > >31337 certified security department evidenced that > the bug (an integer > >overflow, resulting in a heap overflow) described > in the aforementioned > >advisory still exists in OpenSSH 3.5p1 and 3.4p1, > and remains trivially > >exploitable. All existing PAM enabled versions of > OpenSSH (3.5p1, 3.4p1 > >and below) are therefore affected. > > > >Due to various advisories posted to various fora by > unnamed security > >companies, this bug was supposed to be nonexistent > or nonexploitable. > >Fortunately, Global InterSec LLC shed some light on > the whole affair and > >revealed the malignant nature of the oversight to > the world. > > > >Their results were applied to the latest OpenSSH > versions by privately > >trained Mickey Mouse Hacking Squadron security > specialists and revealed > >that the exploitation techniques developed by > Global InterSec LLC are > >still applicable to the newest OpenSSH. > > > >PROOF OF CONCEPT > >- ---------------- > > > >The following proof of concept is reproducing > Global InterSec LLC > >findings, enhanced with the patented research > performed by Mickey Mouse > >Hacking Squadron against OpenSSH 3.5p1. > > > >First of all, the OpenSSH 3.5p1 server has to be > built (with PAM support > >enabled): > > > >$ tar xzf openssh-3.5p1.tar.gz > >$ cd openssh-3.5p1 > >$ configure --with-pam > >[...] > >$ make sshd > >[...] > > > >Before the SSH server is actually executed, the > sshd_config file should > >be modified in order to enable PAM > ("PAMAuthenticationViaKbdInt yes"). > > > ># sshd > > > >In order to reveal the nature of the OpenSSH > vulnerability, the next > >step is to connect to the SSH server: > > > >$ ssh werewolf.research.mmhs.com > >Password: > > > >Thanks to the "Password:" prompt, it is clear that > PAM is actually > >enabled (otherwise, the prompt would have been > "user@host's password:"). > >This unique fingerprinting technique was > investigated by Mickey Mouse > >Hacking Squadron, and is already present in the > latest version of the > >Mickey Mouse Hacking Squadron award winning network > vulnerability > >assessment tool. > > > >After the previous command was executed, the > freshly spawned sshd > >process has to be examined with a debugger, in > order to set the correct > >breakpoints within the > input_userauth_info_response_pam() function of > >OpenSSH, as demonstrated in the Global InterSec LLC > advisory: > > > ># gdb sshd 6552 > >(gdb) disassemble input_userauth_info_response_pam > >[...] > >0x80531bc : > push %esi > >0x80531bd : > > call 0x807306c > >[...] > >(gdb) break *0x80531bd > >Breakpoint 1 at 0x80531bd: file auth2-pam.c, line > 158. > >(gdb) continue > >Continuing. > > > >Now that the buggy call to xfree() can be > intercepted, the SSH client > >should trigger the integer overlow and the > resulting heap overflow: > > > >$ ssh werewolf.research.mmhs.com > >Password: hit enter> > > > >After that, the xfree() breakpoint is reached, and > the next call to > >free() should therefore be intercepted in order to > comply with the > >technique developed by Global InterSec LLC: > > > >Breakpoint 1, 0x080531bd in > input_userauth_info_response_pam (type=61, > > seqnr=7, ctxt=0x809c050) at auth2-pam.c:158 > >158 xfree(resp); > >(gdb) disassemble xfree > >[...] > >0x807308e : call 0x804ba14 > >[...] > >(gdb) break *0x807308e > >Breakpoint 2 at 0x807308e: file xmalloc.c, line 55. > >(gdb) continue > >Continuing. > > > >Breakpoint 2, 0x0807308e in xfree (ptr=0x809dfb8) > at xmalloc.c:55 > === message truncated === ===== ----------------------------------------------------------- If you give a man a fish, he can eat for a day If you bludgeon him to death, you can eat the fish yourself ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message