OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: FreeBSD Security Advisories (security-advisoriesfreebsd.org)
Date: Thu Mar 07 2002 - 08:59:50 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----

    =============================================================================
    FreeBSD-SA-02:13 Security Advisory
                                                                    FreeBSD, Inc.

    Topic: OpenSSH contains exploitable off-by-one bug

    Category: core, ports
    Module: openssh, ports_openssh, openssh-portable
    Announced: 2002-03-07
    Credits: Joost Pol <joostpine.nl>
    Affects: FreeBSD 4.4-RELEASE, 4.5-RELEASE
                    FreeBSD 4.5-STABLE prior to the correction date
                    openssh port prior to openssh-3.0.2_1
                    openssh-portable port prior to openssh-portable-3.0.2p1_1
    Corrected: 2002-03-06 13:57:54 UTC (RELENG_4)
                    2002-03-07 14:40:56 UTC (RELENG_4_5)
                    2002-03-07 14:40:07 UTC (RELENG_4_4)
                    2002-03-06 13:53:38 UTC (ports/security/openssh)
                    2002-03-06 13:53:39 UTC (ports/security/openssh-portable)
    CVE: CAN-2002-0083
    FreeBSD only: NO

    I. Background

    OpenSSH is a free version of the SSH protocol suite of network
    connectivity tools. OpenSSH encrypts all traffic (including
    passwords) to effectively eliminate eavesdropping, connection
    hijacking, and other network-level attacks. Additionally, OpenSSH
    provides a myriad of secure tunneling capabilities, as well as a
    variety of authentication methods. `ssh' is the client application,
    while `sshd' is the server.

    II. Problem Description

    OpenSSH multiplexes `channels' over a single TCP connection in order
    to implement X11, TCP, and agent forwarding. An off-by-one error in
    the code which manages channels can result in a reference to memory
    beyond that allocated for channels. A malicious client or server may
    be able to influence the contents of the memory so referenced.

    III. Impact

    An authorized remote user (i.e. a user that can successfully
    authenticate on the target system) may be able to cause sshd to
    execute arbitrary code with superuser privileges.

    A malicious server may be able to cause a connecting ssh client to
    execute arbitrary code with the privileges of the client user.

    IV. Workaround

    Do one of the following:

    1) The FreeBSD malloc implementation can be configured to overwrite
       or `junk' memory that is returned to the malloc arena. Due to the
       details of exploiting this bug, configuring malloc to junk memory
       will thwart the attack.

       To configure a FreeBSD system to junk memory, execute the following
       commands as root:

       # ln -fs J /etc/malloc.conf

       Note that this option will degrade system performance. See the
       malloc(3) man page for full details on malloc options.

    2) Disable the base system sshd by executing the following command as
       root:

       # kill `cat /var/run/sshd.pid`

       Be sure that sshd is not restarted when the system is restarted
       by adding the following line to the end of /etc/rc.conf:

       sshd_enable="NO"

       AND

       Deinstall the openssh or openssh-portable ports if you have one of
       them installed.

    V. Solution

    Do one of the following:

    [For OpenSSH included in the base system]

    1) Upgrade the vulnerable system to 4.4-RELEASEp9, 4.5-RELEASEp2,
       or 4.5-STABLE after the correction date and rebuild.

    2) FreeBSD 4.x systems prior to the correction date:

    The following patch has been verified to apply to FreeBSD 4.4-RELEASE,
    4.5-RELEASE, and 4.5-STABLE dated prior to the correction date. It
    may or may not apply to older, unsupported versions of FreeBSD.

    Download the patch and the detached PGP signature from the following
    locations, and verify the signature using your PGP utility.

    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:13/openssh.patch
    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:13/openssh.patch.asc

    Execute the following commands as root:

    # cd /usr/src
    # patch < /path/to/sshd.patch
    # cd /usr/src/secure/lib/libssh
    # make depend && make all
    # cd /usr/src/secure/usr.sbin/sshd
    # make depend && make all install
    # cd /usr/src/secure/usr.bin/ssh
    # make depend && make all install

    [For the OpenSSH ports]

    One of the following:

    1) Upgrade your entire ports collection and rebuild the OpenSSH port.

    2) Deinstall the old package and install a new package obtained from
    the following directory:

    [i386]
    ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/

    [other platforms]
    Packages are not automatically generated for other platforms at this
    time due to lack of build resources.

    3) Download a new port skeleton for the openssh or openssh-portable
    port from:

    http://www.freebsd.org/ports/

    and use it to rebuild the port.

    4) Use the portcheckout utility to automate option (3) above. The
    portcheckout port is available in /usr/ports/devel/portcheckout or the
    package can be obtained from:

    ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz
    ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz

    VI. Correction details

    The following list contains the revision numbers of each file that was
    corrected in the FreeBSD ports collection.

    Path Revision
      Branch
    - -------------------------------------------------------------------------
    [Base system]
    src/crypto/openssh/channels.c
      HEAD 1.8
      RELENG_4 1.1.1.1.2.6
      RELENG_4_5 1.1.1.1.2.5.2.1
      RELENG_4_4 1.1.1.1.2.4.4.1
    src/crypto/openssh/version.h
      HEAD 1.10
      RELENG_4 1.1.1.1.2.8
      RELENG_4_5 1.1.1.1.2.7.2.1
      RELENG_4_4 1.1.1.1.2.5.2.2
    src/sys/conf/newvers.sh
      RELENG_4_5 1.44.2.20.2.3
      RELENG_4_4 1.44.2.17.2.8

    [Ports]
    ports/security/openssh/Makefile 1.81
    ports/security/openssh/files/patch-channels.c 1.1
    ports/security/openssh-portable/Makefile 1.21
    ports/security/openssh-portable/files/patch-channels.c 1.1
    - -------------------------------------------------------------------------

    Branch Version string
    - -------------------------------------------------------------------------
    HEAD OpenSSH_2.9 FreeBSD localisations 20020307
    RELENG_4 OpenSSH_2.9 FreeBSD localisations 20020307
    RELENG_4_5 OpenSSH_2.9 FreeBSD localisations 20020307
    RELENG_4_4 OpenSSH_2.3.0 FreeBSD localisations 20020307
    - -------------------------------------------------------------------------

    To view the version string of the OpenSSH server, execute the
    following command:

      % /usr/sbin/sshd -\?

    The version string is also displayed when a client connects to the
    server.

    To view the version string of the OpenSSH client, execute the
    following command:

      % /usr/bin/ssh -V

    VII. References

    <URL:http://www.pine.nl/advisories/pine-cert-20020301.txt>

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CAN-2002-0083 to this issue.
      <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0083>
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (FreeBSD)
    Comment: For info see http://www.gnupg.org

    iQCVAwUBPId+x1UuHi5z0oilAQGvpAP+NDgcpdZAo8aB2ptAbbS7h3MzJULCnPlN
    BqnQ+AylR8HTcPt7XduF6Sh8KSpu75Y5uCJcrNvAoF2jmnH3DFa79GY4hEj7VvCl
    DiAzN3bwcTFBAPWSNaCXK6odyqCjumMOL3drgtibuMHZuQSKn5ZOvNKquVSXuaY+
    86MXQwGukUU=
    =csOr
    -----END PGP SIGNATURE-----

    To Unsubscribe: send mail to majordomoFreeBSD.org
    with "unsubscribe freebsd-security" in the body of the message