openSSH security vulnerability

Open forum for security issues and info.
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
User avatar
dexter1
Moderator
Moderator
Posts: 2743
Joined: Thu Feb 20, 2003 6:57 am
Location: Zoetermeer, The Netherlands

openSSH security vulnerability

Unread postby dexter1 » Tue Sep 16, 2003 2:44 pm

This one i just received:

http://www.openssh.org/txt/buffer.adv

Note the date: 16th of September, so that makes it today.

This looks to be a severe remote buffer overflow in all openSSH version prior to 3.7 so get your goggles on and start patching now. An OpenBSD exploit has been sighted in the wild, so do it quickly.
Just when i thought that i finished all the rpc(ss)/Blaster stuff from billgatessoft. Argh

And it's my birthday today. Some gift huh?

vegac
Posts: 745
Joined: Thu Jan 23, 2003 11:34 am
Contact:

Unread postby vegac » Tue Sep 16, 2003 7:11 pm

One of the beauties of running non-x86 hardware, is that atleast it'll take em a few more days to get MIPS shell-code up and working to exploit us, giving us a little more time to patch? :)

Or in my case I just block port 22 from the world :P

User avatar
semi-fly
Posts: 786
Joined: Fri Feb 21, 2003 5:29 am
Location: Ypsitucky, MI
Contact:

Unread postby semi-fly » Tue Sep 16, 2003 7:13 pm

Well, happy birthday at least.. :)

User avatar
nekonoko
Site Admin
Site Admin
Posts: 8145
Joined: Thu Jan 23, 2003 1:31 am
Location: Pleasanton, California
Contact:

Re: openSSH security vulnerability

Unread postby nekonoko » Wed Sep 17, 2003 12:02 am

dexter1 wrote:This one i just received:

http://www.openssh.org/txt/buffer.adv

Note the date: 16th of September, so that makes it today.

This looks to be a severe remote buffer overflow in all openSSH version prior to 3.7 so get your goggles on and start patching now. An OpenBSD exploit has been sighted in the wild, so do it quickly.
Just when i thought that i finished all the rpc(ss)/Blaster stuff from billgatessoft. Argh

And it's my birthday today. Some gift huh?


Happy Birthday!

I couldn't get 3.7 to work under IRIX - sessions just autoclose during connection process. Using the -v flag didn't reveal why this was happening. I'll just use the console for now I guess :-)
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.

User avatar
dexter1
Moderator
Moderator
Posts: 2743
Joined: Thu Feb 20, 2003 6:57 am
Location: Zoetermeer, The Netherlands

Unread postby dexter1 » Wed Sep 17, 2003 12:51 am

Thanks!

I'm attempting various flavours of openssl/openssh combo's to see which one works. Note that there was an update to the original security bulletin and that the version number has now bumped to 3.7.1

Like Ving Rames (Marcellus) in Pulp Fiction: "Relax, i'm on the motherf*cker..."

User avatar
dexter1
Moderator
Moderator
Posts: 2743
Joined: Thu Feb 20, 2003 6:57 am
Location: Zoetermeer, The Netherlands

Unread postby dexter1 » Wed Sep 17, 2003 3:03 am

The best i can come up with is to get openssh-3.6.1p2 and patch it using the stuff in the openssh advisory. I have used EGD with the may 2003 beta openssl 0.9.6j and this seems to work fine on a 6.5.16m O200. I will also try an openssh 3.6.1p2 with august openssl 0.9.6j on a 6.5.19m O2 with /dev/random later today.

3.7.1 totally bombs on me. Even with Privilege Separation off and Compression off, the sshd child just quits when a succesful login is achieved. There seems to be something wrong with the ENV code, because the latter has been overhauled/expanded in 3.7

My systems are almost ok now, so i can take a rest and wait until the proper openssh 3.7 stuff appears on freeware.

User avatar
nekonoko
Site Admin
Site Admin
Posts: 8145
Joined: Thu Jan 23, 2003 1:31 am
Location: Pleasanton, California
Contact:

Unread postby nekonoko » Wed Sep 17, 2003 3:49 am

dexter1 wrote:The best i can come up with is to get openssh-3.6.1p2 and patch it using the stuff in the openssh advisory. I have used EGD with the may 2003 beta openssl 0.9.6j and this seems to work fine on a 6.5.16m O200. I will also try an openssh 3.6.1p2 with august openssl 0.9.6j on a 6.5.19m O2 with /dev/random later today.

3.7.1 totally bombs on me. Even with Privilege Separation off and Compression off, the sshd child just quits when a succesful login is achieved. There seems to be something wrong with the ENV code, because the latter has been overhauled/expanded in 3.7

My systems are almost ok now, so i can take a rest and wait until the proper openssh 3.7 stuff appears on freeware.


Yep, this is what I'm experiencing as well - the sshd child just drops off during connect.

Another thing I noticed is that openbsd-compat/inet_ntoa.h is missing in 3.7.x - had to copy that header over from 3.6 in order to build it at all.

Very frustrating; looks like the security update essentially forced an untested beta into the wild :(

I just turned the whole thing off for now and will wait and see what SGI does.
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.

martijn
Posts: 8
Joined: Tue Aug 12, 2003 6:57 am
Location: Rotterdam - The Netherlands
Contact:

Unread postby martijn » Thu Sep 18, 2003 1:32 am

Hi,

Try compiling with uidswap.c from openssh 3.6p1.


Gr, Martijn

User avatar
nekonoko
Site Admin
Site Admin
Posts: 8145
Joined: Thu Jan 23, 2003 1:31 am
Location: Pleasanton, California
Contact:

Unread postby nekonoko » Thu Sep 18, 2003 8:56 am

Ah, that worked. Thanks! :)
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.

User avatar
nekonoko
Site Admin
Site Admin
Posts: 8145
Joined: Thu Jan 23, 2003 1:31 am
Location: Pleasanton, California
Contact:

Unread postby nekonoko » Tue Sep 23, 2003 3:06 pm

Got another one:

http://www.securityfocus.com/archive/121/338617
http://www.securityfocus.com/archive/121/338616

Fortunately 3.7.1p2 compiles cleanly on IRIX this time:

* Fix compilation problems on systems with a missing or lacking inet_ntoa() function.

* Workaround problems related to unimplemented or broken setresuid/setreuid functions on several platforms.


Happy updating!
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.

User avatar
dexter1
Moderator
Moderator
Posts: 2743
Joined: Thu Feb 20, 2003 6:57 am
Location: Zoetermeer, The Netherlands

Unread postby dexter1 » Tue Sep 23, 2003 4:44 pm

Neko, try using scp on an IRIX with openssh3.7.1p2 server installed. Instant bomb :(

Also one cannot even run sshd in debug mode. I always get a bus error.

Seems i'm going to have to be happy with 3.6.1p2 patched for a while...

User avatar
nvukovlj
Posts: 356
Joined: Mon Jun 09, 2003 8:27 am
Location: London, UK
Contact:

Unread postby nvukovlj » Tue Oct 14, 2003 6:44 pm

dexter1 wrote:Neko, try using scp on an IRIX with openssh3.7.1p2 server installed. Instant bomb :(

Also one cannot even run sshd in debug mode. I always get a bus error.

Seems i'm going to have to be happy with 3.6.1p2 patched for a while...


Has anyone got the latest (3.7.1p2) to work ?
Running sshd leads to a core dump... SIGTRAP raised...

User avatar
nekonoko
Site Admin
Site Admin
Posts: 8145
Joined: Thu Jan 23, 2003 1:31 am
Location: Pleasanton, California
Contact:

Unread postby nekonoko » Tue Oct 14, 2003 7:17 pm

It's working okay for me - here's a -v transaction snippet from one of my machines connecting to IRIX 3.7.1p2 sshd:

Code: Select all

debug1: Remote protocol version 1.99, remote software version OpenSSH_3.7.1p2
debug1: match: OpenSSH_3.7.1p2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0


dexter1 mentioned a problem with scp, but that's not something I use so I haven't tested it.
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.

User avatar
nekonoko
Site Admin
Site Admin
Posts: 8145
Joined: Thu Jan 23, 2003 1:31 am
Location: Pleasanton, California
Contact:

Unread postby nekonoko » Sat Oct 25, 2003 6:13 pm

SGI release here:

http://freeware.sgi.com/Installable/ope ... 7.1p2.html

Apparently this has been available since the 26th of September, but was only announced in comp.sys.sgi.annouce :roll:
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.

User avatar
nvukovlj
Posts: 356
Joined: Mon Jun 09, 2003 8:27 am
Location: London, UK
Contact:

Unread postby nvukovlj » Sun Oct 26, 2003 10:39 am

Yeah, I downloaded it because you have to have it for half the freeware software...
That's one thing that is starting to get out of hand with freeware - prereqs...

I got 3.7.1p2 to compile and run OK though. When I mentioned the problem I had, it was because I had compiled in on IRIX 6.5.17 and tried to run it on 6.5.5.
Running things on pre-6.5.10 is a definite no-no...

Kept my own version on the machine I compiled this for (after upgrading that machine to 6.5.17) as it was compiled against latest OpenSSL...

Nik.


Return to “SGI: Security”

Who is online

Users browsing this forum: No registered users and 1 guest