OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [cert] SSH Authentication Vulnerability
From: Ignacio Kadel-Garcia (raoulAKAMAI.COM)
Date: Thu May 11 2000 - 07:41:19 CDT

On Wed, 10 May 2000, John P. McNeely wrote:

> Date: Wed, 10 May 2000 18:15:22 -0400
> From: John P. McNeely <jmcneelySSES.NET>
> To: BUGTRAQSECURITYFOCUS.COM
> Subject: [cert] SSH Authentication Vulnerability
>
> Sword & Shield Enterprise Security, Inc. - Security Advisory
> www.sses.net, Copyright (c) 2000
>
> Advisory: Secure Shell Authentication Vulnerability
> Release Date: May 10, 2000
> Application: sshd
> Severity: High - A user (local or remote) can log into any account
> with a valid login shell.
> Status: Affected systems should install alternative version.
> Archive: The advisory sses-002-auth-vul.txt
> is available at ftp://ftp.sses.net/pub/security/advisories

GACK! This is scary.

> DESCRIPTION
> -----------
> The vulnerable ssh distribution is patched with defective logic
> related to PAM authentication. The offending code from the patch
> file ssh-1.2.27-pam.patch is:
>
> +#ifdef HAVE_PAM
> + {
> + retval = origretval;
> + pampasswd = xstrdup(password);
> + if (retval == PAM_SUCCESS)
> + retval = pam_authenticate ((pam_handle_t *)pamh, 0);
> + if (retval == PAM_SUCCESS || retval == PAM_AUTH_ERR)
> + retval = pam_acct_mgmt ((pam_handle_t *)pamh, 0);
> + xfree(pampasswd);
> + }
> +#else /* HAVE_PAM */
>
> Note the last 'if' statement - in essence whether the pam_authenticate()
> call is successful or not, the pam_acct_mgmt() call is made overwriting
> the contents of retval. Assuming the pam_acct_mgmt() call is
> successful, and it tends to be, then the remaining patch code dealing
> with PAM authentication opens a session with:

In plainer English, it should read and reads in other ssh SRPM distributions:

           +#ifdef HAVE_PAM
           + {
           + retval = origretval;
           + pampasswd = xstrdup(password);
           + if (retval == PAM_SUCCESS)
           + retval = pam_authenticate ((pam_handle_t *)pamh, 0);
           + if (retval == PAM_SUCCESS)
           + retval = pam_acct_mgmt ((pam_handle_t *)pamh, 0);
           + xfree(pampasswd);
           + }
           +#else /* HAVE_PAM */

                                

This problem does not exist in the very nice Riggs distribution available
at:
        ftp://ftp.linuxppc.org/contrib/sources/Applications/Internet/ssh-1.2.27-7a_i_riggs.src.rpm
        ftp://ftp.linuxppc.org/contrib/sources/Applications/Internet/ssh-1.2.27-7a_us_riggs.src.rpm

I can recommend it: it's got a very useful patch for logging the tags
from the incoming SSH keys for easier logging of who the midnight root
user was on a shared system, and it's got a nice interactive session
performance patch for X-windows and terminal sessions (involving
TCPNODELAY settings).

I'm very concerned about how and when this modified
ssh-1.2.27-pam.patch was introduced into the ssh SRPM's. Just how far back
did it appear in SSH distributions for RedHat?

Nico Kadel-Garcia Office: (617) 250-3693
Senior Systems Engineer CellPhone: (617) 840-0199
                                Pager: (877) 680-3843
                                Email: raoulakamai.com