From owner-freebsd-security Mon Jan 6 10: 6:24 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 592D937B401 for ; Mon, 6 Jan 2003 10:06:18 -0800 (PST) Received: from smtp2.sentex.ca (smtp2.sentex.ca [199.212.134.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94A3843EA9 for ; Mon, 6 Jan 2003 10:06:17 -0800 (PST) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smtp2.sentex.ca (8.12.6/8.12.6) with ESMTP id h06I6BHV052260 for ; Mon, 6 Jan 2003 13:06:11 -0500 (EST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.6/8.12.6) with ESMTP id h06I8RHY044958 for ; Mon, 6 Jan 2003 13:08:28 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030106130825.04a3e0f8@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Mon, 06 Jan 2003 13:09:44 -0500 To: freebsd-security@freebsd.org From: Mike Tancsa Subject: Fwd: OPENSSH REMOTE ROOT COMPROMISE ALL VERSIONS Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FYI, for those not on bugtraq. ---Mike >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >List-Id: >List-Post: >List-Help: >List-Unsubscribe: >List-Subscribe: >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Date: Sat, 4 Jan 2003 19:37:03 -0800 >To: bugtraq@securityfocus.com >Subject: OPENSSH REMOTE ROOT COMPROMISE ALL VERSIONS >From: mmhs@hushmail.com >X-Spam-Status: No, hits=4.7 required=7.0 > tests=CASHCASHCASH,DISCLAIMER,KNOWN_MAILING_LIST, > LINES_OF_YELLING,LINES_OF_YELLING_2,LINES_OF_YELLING_3, > NO_REAL_NAME,PGP_SIGNATURE,SPAM_PHRASE_01_02,SUBJ_ALL_CAPS > version=2.43 >X-Spam-Level: **** >X-Virus-Scanned: By Sentex Communications (avscan1/20020517) > > >-----BEGIN PGP SIGNED MESSAGE----- > >*********** OPENSSH REMOTE ROOT COMPROMISE ALL VERSIONS *********** > >MICKEY MOUSE HACKING SQUADRON ADVISORY #2 > >DISCLAIMER >- ---------- > >The nation's zeroth private security intelligence firm, Mickey Mouse >Hacking Squadron uniquely addresses the challenges faced by both public- >and private-sector organizations in protecting critical information >assets. > >Our intelligence is timely, delivered 24 x 7, 365 (*) days per year; >relevant, fully customizable, and actionable intelligence is only >valuable if it makes a difference. > >(*) in the case of a leap year, we of course provide a 24 x 7, 366 days >premier service. > >TECHNICAL BACKGROUND >- -------------------- > >The following advisory is based on the excellent advisory published by >Global InterSec LLC *six months ago*: > >http://www.globalintersec.com/adv/openssh-2002062801.txt > >After more than six months of intensive underground research, our ISO >31337 certified security department evidenced that the bug (an integer >overflow, resulting in a heap overflow) described in the aforementioned >advisory still exists in OpenSSH 3.5p1 and 3.4p1, and remains trivially >exploitable. All existing PAM enabled versions of OpenSSH (3.5p1, 3.4p1 >and below) are therefore affected. > >Due to various advisories posted to various fora by unnamed security >companies, this bug was supposed to be nonexistent or nonexploitable. >Fortunately, Global InterSec LLC shed some light on the whole affair and >revealed the malignant nature of the oversight to the world. > >Their results were applied to the latest OpenSSH versions by privately >trained Mickey Mouse Hacking Squadron security specialists and revealed >that the exploitation techniques developed by Global InterSec LLC are >still applicable to the newest OpenSSH. > >PROOF OF CONCEPT >- ---------------- > >The following proof of concept is reproducing Global InterSec LLC >findings, enhanced with the patented research performed by Mickey Mouse >Hacking Squadron against OpenSSH 3.5p1. > >First of all, the OpenSSH 3.5p1 server has to be built (with PAM support >enabled): > >$ tar xzf openssh-3.5p1.tar.gz >$ cd openssh-3.5p1 >$ configure --with-pam >[...] >$ make sshd >[...] > >Before the SSH server is actually executed, the sshd_config file should >be modified in order to enable PAM ("PAMAuthenticationViaKbdInt yes"). > ># sshd > >In order to reveal the nature of the OpenSSH vulnerability, the next >step is to connect to the SSH server: > >$ ssh werewolf.research.mmhs.com >Password: > >Thanks to the "Password:" prompt, it is clear that PAM is actually >enabled (otherwise, the prompt would have been "user@host's password:"). >This unique fingerprinting technique was investigated by Mickey Mouse >Hacking Squadron, and is already present in the latest version of the >Mickey Mouse Hacking Squadron award winning network vulnerability >assessment tool. > >After the previous command was executed, the freshly spawned sshd >process has to be examined with a debugger, in order to set the correct >breakpoints within the input_userauth_info_response_pam() function of >OpenSSH, as demonstrated in the Global InterSec LLC advisory: > ># gdb sshd 6552 >(gdb) disassemble input_userauth_info_response_pam >[...] >0x80531bc : push %esi >0x80531bd : > call 0x807306c >[...] >(gdb) break *0x80531bd >Breakpoint 1 at 0x80531bd: file auth2-pam.c, line 158. >(gdb) continue >Continuing. > >Now that the buggy call to xfree() can be intercepted, the SSH client >should trigger the integer overlow and the resulting heap overflow: > >$ ssh werewolf.research.mmhs.com >Password: > >After that, the xfree() breakpoint is reached, and the next call to >free() should therefore be intercepted in order to comply with the >technique developed by Global InterSec LLC: > >Breakpoint 1, 0x080531bd in input_userauth_info_response_pam (type=61, > seqnr=7, ctxt=0x809c050) at auth2-pam.c:158 >158 xfree(resp); >(gdb) disassemble xfree >[...] >0x807308e : call 0x804ba14 >[...] >(gdb) break *0x807308e >Breakpoint 2 at 0x807308e: file xmalloc.c, line 55. >(gdb) continue >Continuing. > >Breakpoint 2, 0x0807308e in xfree (ptr=0x809dfb8) at xmalloc.c:55 >55 free(ptr); >(gdb) x /10x 0x809dfb8 >0x809dfb8: 0x41414141 0x41414141 0x41414141 0x41414141 >0x809dfc8: 0x41414141 0x41414141 0x41414141 0x41414141 >0x809dfd8: 0x41414141 0x41414141 > > >From here on, as demonstrated by Global InterSec LLC, exploitation >becomes trivial. For more information on exploiting calls to free() see >the excellent Phrack article "Once upon a free()" [2]. > >WORK AROUND >- ----------- > >As mentioned in http://www.openssh.com/txt/preauth.adv, and as >demonstrated by noir in http://www.phrack.org/phrack/60/p60-0x06.txt, >"you can prevent privilege escalation if you enable >UsePrivilegeSeparation in sshd_config." > >Love, > >- -- >Mickey Mouse Hacking Squadron >-----BEGIN PGP SIGNATURE----- >Version: Hush 2.2 (Java) >Note: This signature can be verified at https://www.hushtools.com/verify > >wlkEARECABkFAj4XqFwSHG1taHNAaHVzaG1haWwuY29tAAoJEMZ9fu0iAPxbgYEAoL0W >0oGQQvqwwZAGADonQ2TOUjNmAJ4zuUfANSpju97UjXdD65bkCy6M1A== >=YvOU >-----END PGP SIGNATURE----- > > > > >Concerned about your privacy? Follow this link to get >FREE encrypted email: https://www.hushmail.com/?l=2 > >Big $$$ to be made with the HushMail Affiliate Program: >https://www.hushmail.com/about.php?subloc=affiliate&l=427 -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message