Global InterSec LLC http://www.globalintersec.com GIS Advisory ID: 2002062801 Title: OpenSSH kbd-interactive buffer overflow Changed: 07/03/2002 Author: research@globalintersec.com Reference: http://www.globalintersec.com/adv/openssh-2002062801.txt Summary: OpenSSH, a popular server utility that provides encrypted connections between hosts and is commonly used for administration and file transfer, contains a integer overflow, resulting in a heap overflow that could be exploited to execute arbitrary commands. Impact: A local user may be able to execute arbitrary commands as the user which the OpenSSH daemon is running as prior to authentication. This is normally root. Versions Tested To Be Vulnerable: OpenSSH versions prior to 3.4 Description: It is the current belief of many that exploiting the recently disclosed vulnerabilities in OpenSSH's challenge-response routines is reliant upon a system's use of BSD's authentication mechanisms and therefore restricts the platforms on which this vulnerability may be exploited. This is almost certainly due to various advisories posted to various fora by unnamed security companies. Although it is widely known that all systems running versions of OpenSSH prior to 3.4 are affected by this vulnerability, many vendors have deemed their platforms invulnerable to exploitation. In spite of this, our research has proven multiple platforms originally thought to be invulnerable to attack to be vulnerable. As reported by GOBBLES [1], systems running vulnerable binaries, built with --with-bsd-auth at compile time are vulnerable to attack via an integer overflow in the input_userauth_info_response() function. Conversely, under Linux and other platforms using a vulnerable version of OpenSSH compiled with --with-pam, the integer overflow lies in the function input_userauth_info_response_pam(). In both cases, the final heap based buffer overflow is a result of the integer overflow of unsigned int nresp, calculated from packet_get_int(), the return value of packet_get_int being a client controlled integer. Scope for attack: - Because of the nature of the vulnerability, exploitation is possible before a user has authenticated with the remote host. This would potentially allow an attacker to remotely execute arbitrary commands as the UID of the daemon process, PRIOR TO AUTHENTICATION. - To exploit the vulnerability described in the "Proof of concept" section of this advisory, the sshd binary must have been compiled with PAM support. Work Around: Global InterSec recommends the following settings be disabled within sshd's configuration. This is normally located at /etc/ssh/sshd_config PAMAuthenticationViaKBDInt no KbdInteractiveAuthentication no However, we strongly recommend that all vulnerable binaries are upgraded as soon as possible. (See vendor solutions.) Credit: All information contained within this advisory was independently researched by Global InterSec's vulnerability team. The original PUBLIC disclosure of this vulnerability was made by Internet Security Systems [3]. Vendor Solutions: Since the original disclosure by ISS [3], vendors have released their own advisories, with distribution specific fixes. A list of some of these follows. Mandrake Secure Linux: http://www.mandrakesecure.net/en/advisories/2002/MDKSA-2002-040-1.php SuSE Linix: http://www.suse.de/de/support/security/2002_024_openssh_txt.html EnGarde Secure Linux: http://www.linuxsecurity.com/advisories/other_advisory-2177.html Conectiva Linux: http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000502 Caldera Linux: ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-030.0.txt NetBSD: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-005 ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-005.txt.asc Redhat: http://rhn.redhat.com/errata/RHSA-2002-127.html Exploitation / Proof of concept: On certain distributions of linux, the evidence that this bug is exploitable may be more apparent than others due to the %edx register being overwritten. In either case, slightly more careful inspection confirms the possibility that this vulnerability could be exploited when compiled --with-pam. By examining an assembler dump of input_userauth_info_response_pam(), we can see that the (corrupted?) %edx has been loaded from 0x8080130, where 0x8080130 is the location of the context_pam2 structure. 0x80521f2 <input_userauth_info_response_pam+122>: mov 0x8080130,%edx Note: The above instruction to mov 0x8080130 into %edx occurs in preparation for the call to xfree() and after the call to wrapped strdup(); whilst the debugger back trace suggests that the xfree() [free()] was never called. By allocating specific break points through out input_userauth_info_response_pam() and into the call to free(), it becomes apparent that the call to free() could be exploited: Breakpoint 14, 0x0806c677 in xfree (ptr=0x808a380) at xmalloc.c:55 55 free(ptr); (gdb) print 0x808a380 $24 = 134783872 (gdb) x/10x 0x808a380 0x808a380: 0x41414141 0x41414141 0x41414141 0x41414141 0x808a390: 0x41414141 0x41414141 0x41414141 0x41414141 0x808a3a0: 0x41414141 0x41414141 From here on, exploitation becomes trivial. For more information on exploiting calls to free() see the excellent Phrack article "Once upon a free()" [2]. References: [1] GOBBLES Security - http://www.immunitysec.com/GOBBLES/exploits/sshutup-theo.tar.gz [2] Phrack Magazine - Once Upon a free() - http://www.phrack.com/show.php?p=57&a=9 [3] ISS - http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584 Legal: This advisory is the intellectual property of Global InterSec LLC but may be freely distributed with the conditions that: a) No fee is charged b) Appropriate credit is given. (c) Global InterSec LLC 2002
