[TriLUG] Fwd: [openssh-unix-announce] OpenSSH Security Advisory (adv.iss)

Mike Johnson mike at enoch.org
Wed Jun 26 11:30:34 EDT 2002 

*sigh*  They released early...

Mike
----- Forwarded message from Markus Friedl <markus at openbsd.org> -----

> Date: Wed, 26 Jun 2002 16:42:09 +0200
> From: Markus Friedl <markus at openbsd.org>
> Reply-To: openssh at openssh.com
> To: openssh-unix-announce at mindrot.org
> Delivered-To: mike at enoch.org
> Subject: [openssh-unix-announce] OpenSSH Security Advisory (adv.iss)
> User-Agent: Mutt/1.3.28i
> Errors-To: openssh-unix-announce-admin at mindrot.org
> X-BeenThere: openssh-unix-announce at mindrot.org
> X-Mailman-Version: 2.0.8
> Precedence: bulk
> List-Help: <mailto:openssh-unix-announce-request at mindrot.org?subject=help>
> List-Post: <mailto:openssh-unix-announce at mindrot.org>
> List-Subscribe: <http://www.mindrot.org/mailman/listinfo/openssh-unix-announce>,
> 	<mailto:openssh-unix-announce-request at mindrot.org?subject=subscribe>
> List-Id: Announcements of OpenSSH releases <openssh-unix-announce.mindrot.org>
> List-Unsubscribe: <http://www.mindrot.org/mailman/listinfo/openssh-unix-announce>,
> 	<mailto:openssh-unix-announce-request at mindrot.org?subject=unsubscribe>
> List-Archive: <http://www.mindrot.org/pipermail/openssh-unix-announce/>
> X-Sorted: Bulk
> 
> 1. Versions affected:
> 
>         All versions of OpenSSH's sshd between 2.9.9 and 3.3
>         contain an input validation error that can result in
>         an integer overflow and privilege escalation.
> 
>         OpenSSH 3.4 and later are not affected.
> 
>         OpenSSH 3.2 and later prevent privilege escalation
>         if UsePrivilegeSeparation is enabled in sshd_config.
>         OpenSSH 3.3 enables UsePrivilegeSeparation by
>         default.
> 
>         Although OpenSSH 2.9 and earlier are not affected
>         upgrading to OpenSSH 3.4 is recommended, because
>         OpenSSH 3.4 adds checks for a class of potential bugs.
> 
> 2. Impact:
> 
>         This bug can be exploited remotely if
>         ChallengeResponseAuthentication is enabled in sshd_config.
> 
> 	Affected are at least systems supporting
> 	s/key over SSH protocol version 2 (OpenBSD, FreeBSD
> 	and NetBSD as well as other systems supporting
> 	s/key with SSH).  Exploitablitly of systems
> 	using PAM in combination has not been verified.
> 
> 3. Short-Term Solution:
> 	
>         Disable ChallengeResponseAuthentication in sshd_config.
> 
> 	or
> 
>         Enable UsePrivilegeSeparation in sshd_config.
> 
> 4. Solution:
> 
> 	Upgrade to OpenSSH 3.4 or apply the following patches.
> 
> 5. Credits:
> 
> 	ISS.
> 
> Appendix:
> 
> A:
> 
> Index: auth2-chall.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v
> retrieving revision 1.18
> diff -u -r1.18 auth2-chall.c
> --- auth2-chall.c	19 Jun 2002 00:27:55 -0000	1.18
> +++ auth2-chall.c	26 Jun 2002 09:37:03 -0000
> @@ -256,6 +256,8 @@
>  
>  	authctxt->postponed = 0;	/* reset */
>  	nresp = packet_get_int();
> +	if (nresp > 100)
> +		fatal("input_userauth_info_response: nresp too big %u", nresp);
>  	if (nresp > 0) {
>  		response = xmalloc(nresp * sizeof(char*));
>  		for (i = 0; i < nresp; i++)
> 
> B:
> 
> Index: auth2-pam.c
> ===================================================================
> RCS file: /var/cvs/openssh/auth2-pam.c,v
> retrieving revision 1.12
> diff -u -r1.12 auth2-pam.c
> --- auth2-pam.c	22 Jan 2002 12:43:13 -0000	1.12
> +++ auth2-pam.c	26 Jun 2002 10:12:31 -0000
> @@ -140,6 +140,15 @@
>  	nresp = packet_get_int();	/* Number of responses. */
>  	debug("got %d responses", nresp);
>  
> +
> +	if (nresp != context_pam2.num_expected)
> +		fatal("%s: Received incorrect number of responses "
> +		    "(expected %u, received %u)", __func__, nresp,
> +		    context_pam2.num_expected);
> +
> +	if (nresp > 100)
> +		fatal("%s: too many replies", __func__);
> +
>  	for (i = 0; i < nresp; i++) {
>  		int j = context_pam2.prompts[i];
>  
> _______________________________________________
> openssh-unix-announce at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-announce

----- End forwarded message -----

-- 
"Let the power of Ponch compel you!  Let the power of Ponch compel you!"
   -- Zorak on Space Ghost

GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF  C821 89C4 DF9A 5DDD 95D1
GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20020626/1b76d3ba/attachment.pgp>

More information about the TriLUG mailing list