From provos at citi.umich.edu Sun Apr 21 13:39:31 2002 From: provos at citi.umich.edu (Niels Provos) Date: Sat, 20 Apr 2002 23:39:31 -0400 Subject: [openssh-unix-announce] OpenSSH Security Advisory (adv.token) Message-ID: <20020421033931.GZ5594@citi.citi.umich.edu> A buffer overflow exists in OpenSSH's sshd if sshd has been compiled with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file. Ticket and token passing is not enabled by default. 1. Systems affected: All Versions of OpenSSH compiled with AFS/Kerberos support and ticket/token passing enabled contain a buffer overflow. Ticket/Token passing is disabled by default and available only in protocol version 1. 2. Impact: Remote users may gain privileged access for OpenSSH < 2.9.9 Local users may gain privileged access for OpenSSH < 3.3 No privileged access is possible for OpenSSH with UsePrivsep enabled. 3. Solution: Apply the following patch and replace radix.c with http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/radix.c?rev=1.18 4. Credits: kurt at seifried.org for notifying the OpenSSH team. http://mantra.freeweb.hu/ Appendix: Index: bufaux.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/bufaux.c,v retrieving revision 1.24 diff -u -r1.24 bufaux.c --- bufaux.c 26 Mar 2002 15:23:40 -0000 1.24 +++ bufaux.c 19 Apr 2002 12:55:29 -0000 @@ -137,10 +137,18 @@ BN_bin2bn(bin, len, value); xfree(bin); } - /* - * Returns an integer from the buffer (4 bytes, msb first). + * Returns integers from the buffer (msb first). */ + +u_short +buffer_get_short(Buffer *buffer) +{ + u_char buf[2]; + buffer_get(buffer, (char *) buf, 2); + return GET_16BIT(buf); +} + u_int buffer_get_int(Buffer *buffer) { @@ -158,8 +166,16 @@ } /* - * Stores an integer in the buffer in 4 bytes, msb first. + * Stores integers in the buffer, msb first. */ +void +buffer_put_short(Buffer *buffer, u_short value) +{ + char buf[2]; + PUT_16BIT(buf, value); + buffer_append(buffer, buf, 2); +} + void buffer_put_int(Buffer *buffer, u_int value) { Index: bufaux.h =================================================================== RCS file: /cvs/src/usr.bin/ssh/bufaux.h,v retrieving revision 1.17 diff -u -r1.17 bufaux.h --- bufaux.h 18 Mar 2002 17:25:29 -0000 1.17 +++ bufaux.h 19 Apr 2002 12:55:56 -0000 @@ -23,6 +23,9 @@ void buffer_get_bignum(Buffer *, BIGNUM *); void buffer_get_bignum2(Buffer *, BIGNUM *); +u_short buffer_get_short(Buffer *); +void buffer_put_short(Buffer *, u_short); + u_int buffer_get_int(Buffer *); void buffer_put_int(Buffer *, u_int); From markus at openbsd.org Fri Apr 26 21:59:56 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 26 Apr 2002 13:59:56 +0200 Subject: [openssh-unix-announce] Revised OpenSSH Security Advisory (adv.token) Message-ID: <20020426115956.GA13133@folly> This is the 2nd revision of the Advisory. Buffer overflow in OpenSSH's sshd if AFS has been configured on the system or if KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file. Ticket and token passing is not enabled by default. 1. Systems affected: All Versions of OpenSSH with AFS/Kerberos token passing compiled in and enabled (either in the system or in sshd_config) contain a buffer overflow. Token passing is disabled by default and only available in protocol version 1. 2. Impact: Remote users can get privileged access for OpenSSH < 2.9.9 Local users can get privileged access for OpenSSH < 3.2.1 No privileged access is possible for OpenSSH with UsePrivilegeSeparation enabled. 3. Solution: Apply the matching patch: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-3.1-adv.token.patch ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.1p1-adv.token.patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/024_sshafs.patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/019_sshafs.patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/001_sshafs.patch 4. Credits: Marcell Fodor EOF