-=[Advanced Information Security Corp]=- Author: Nicholas Lemonias Report Date: 2/4/2015 Email: lem.nikolas (at) gmail (dot) com Introduction ========== During a source-code audit of the OpenSSH v6.8 (latest) release implementation for linux; conducted internally by the Advanced Information Security Group, instances of insecure function use were observed, which could possibly lead to some attacks. Software Overview =============== OpenSSH, also known as OpenBSD Secure Shell, is a suite of security-related network-level utilities based on the SSH protocol, which help to secure network communications via the encryption of network traffic over multiple authentication methods and by providing secure tunneling capabilities. OpenSSH was designed as a free and open source alternative to the proprietary SSH implementation developed by Tatu Ylönen and offered by SSH Communications Security. OpenSSH is a project of the OpenBSD team. PoC 1 - Code Snippet [CWE-401] ============================== (...openssh6.8\openssh-6.8\packet.c:1271) int ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) { struct session_state *state = ssh->state; int len, r, ms_remain, cont; fd_set *setp; char buf[8192]; struct timeval timeout, start, *timeoutp = NULL; DBG(debug("packet_read()")); setp = (fd_set *)calloc(howmany(state->connection_in + 1, NFDBITS), sizeof(fd_mask)); if (setp == NULL) return SSH_ERR_ALLOC_FAIL; /* * Since we are blocking, ensure that all written packets have * been sent. */ if ((r = ssh_packet_write_wait(ssh)) != 0) return r; /* Stay in the loop until we have received a complete packet. */ for (;;) { /* Try to read a packet from the buffer. */ r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p); if (r != 0) break; if (!compat20 && ( *typep == SSH_SMSG_SUCCESS || *typep == SSH_SMSG_FAILURE || *typep == SSH_CMSG_EOF || *typep == SSH_CMSG_EXIT_CONFIRMATION)) if ((r = sshpkt_get_end(ssh)) != 0) break; /* If we got a packet, return it. */ if (*typep != SSH_MSG_NONE) break; /* * Otherwise, wait for some data to arrive, add it to the * buffer, and try again. */ memset(setp, 0, howmany(state->connection_in + 1, NFDBITS) * sizeof(fd_mask)); FD_SET(state->connection_in, setp); Description: Memory leak caused by variable setp. PoC 2 - Code Snippet [CWE-134] ================================ (...openssh6.8\openssh-6.8\hmac.c .c:155) if (memcmp(e, digest, elen)) { for (i = 0; i < elen; i++) printf("[%zd] %2.2x %2.2x\n", i, e[i], digest[i]); printf("mismatch\n"); } else printf("ok\n"); } Description: size_t is vulnerable to a format string. Appendices =========== Sincere Thanks to the OpenSSH team for their mutual efforts. References ========== [1] OpenBSD Group (2015) OpenSSH 6.8 COMMIT Messages, Available at: http://www.mindrot.org/openssh_snap/ChangeLog, Accessed: 4/2/2015.