OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Niels Provos (provosciti.umich.edu)
Date: Sat Apr 20 2002 - 22:39:31 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    A buffer overflow exists in OpenSSH's sshd if sshd has been compiled
    with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing
    has been enabled in the sshd_config file. Ticket and token passing
    is not enabled by default.

    1. Systems affected:

            All Versions of OpenSSH compiled with AFS/Kerberos support
            and ticket/token passing enabled contain a buffer overflow.

            Ticket/Token passing is disabled by default and available
            only in protocol version 1.

    2. Impact:

            Remote users may gain privileged access for OpenSSH < 2.9.9

            Local users may gain privileged access for OpenSSH < 3.3

            No privileged access is possible for OpenSSH with
            UsePrivsep enabled.

    3. Solution:

            Apply the following patch and replace radix.c with
            http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/radix.c?rev=1.18

    4. Credits:

            kurtseifried.org for notifying the OpenSSH team.
            http://mantra.freeweb.hu/

    Appendix:

    Index: bufaux.c
    ===================================================================
    RCS file: /cvs/src/usr.bin/ssh/bufaux.c,v
    retrieving revision 1.24
    diff -u -r1.24 bufaux.c
    --- bufaux.c 26 Mar 2002 15:23:40 -0000 1.24
    +++ bufaux.c 19 Apr 2002 12:55:29 -0000
    -137,10 +137,18
             BN_bin2bn(bin, len, value);
             xfree(bin);
     }
    -
     /*
    - * Returns an integer from the buffer (4 bytes, msb first).
    + * Returns integers from the buffer (msb first).
      */
    +
    +u_short
    +buffer_get_short(Buffer *buffer)
    +{
    + u_char buf[2];
    + buffer_get(buffer, (char *) buf, 2);
    + return GET_16BIT(buf);
    +}
    +
     u_int
     buffer_get_int(Buffer *buffer)
     {
    -158,8 +166,16
     }

     /*
    - * Stores an integer in the buffer in 4 bytes, msb first.
    + * Stores integers in the buffer, msb first.
      */
    +void
    +buffer_put_short(Buffer *buffer, u_short value)
    +{
    + char buf[2];
    + PUT_16BIT(buf, value);
    + buffer_append(buffer, buf, 2);
    +}
    +
     void
     buffer_put_int(Buffer *buffer, u_int value)
     {
    Index: bufaux.h
    ===================================================================
    RCS file: /cvs/src/usr.bin/ssh/bufaux.h,v
    retrieving revision 1.17
    diff -u -r1.17 bufaux.h
    --- bufaux.h 18 Mar 2002 17:25:29 -0000 1.17
    +++ bufaux.h 19 Apr 2002 12:55:56 -0000
    -23,6 +23,9
     void buffer_get_bignum(Buffer *, BIGNUM *);
     void buffer_get_bignum2(Buffer *, BIGNUM *);

    +u_short buffer_get_short(Buffer *);
    +void buffer_put_short(Buffer *, u_short);
    +
     u_int buffer_get_int(Buffer *);
     void buffer_put_int(Buffer *, u_int);