OpenSSH Security Advisory (adv.token)

Niels Provos provos at citi.umich.edu
Sun Apr 21 13:39:31 EST 2002


A buffer overflow exists in OpenSSH's sshd if sshd has been compiled
with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing
has been enabled in the sshd_config file.  Ticket and token passing
is not enabled by default.

1. Systems affected:

        All Versions of OpenSSH compiled with AFS/Kerberos support
        and ticket/token passing enabled contain a buffer overflow.

        Ticket/Token passing is disabled by default and available
        only in protocol version 1.

2. Impact:

        Remote users may gain privileged access for OpenSSH < 2.9.9

        Local users may gain privileged access for OpenSSH < 3.3

        No privileged access is possible for OpenSSH with
	UsePrivsep enabled.

3. Solution:

	Apply the following patch and replace radix.c with
	http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/radix.c?rev=1.18

4. Credits:

	kurt at seifried.org for notifying the OpenSSH team.
	http://mantra.freeweb.hu/

Appendix:

Index: bufaux.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/bufaux.c,v
retrieving revision 1.24
diff -u -r1.24 bufaux.c
--- bufaux.c	26 Mar 2002 15:23:40 -0000	1.24
+++ bufaux.c	19 Apr 2002 12:55:29 -0000
@@ -137,10 +137,18 @@
 	BN_bin2bn(bin, len, value);
 	xfree(bin);
 }
-
 /*
- * Returns an integer from the buffer (4 bytes, msb first).
+ * Returns integers from the buffer (msb first).
  */
+
+u_short
+buffer_get_short(Buffer *buffer)
+{
+	u_char buf[2];
+	buffer_get(buffer, (char *) buf, 2);
+	return GET_16BIT(buf);
+}
+
 u_int
 buffer_get_int(Buffer *buffer)
 {
@@ -158,8 +166,16 @@
 }

 /*
- * Stores an integer in the buffer in 4 bytes, msb first.
+ * Stores integers in the buffer, msb first.
  */
+void
+buffer_put_short(Buffer *buffer, u_short value)
+{
+	char buf[2];
+	PUT_16BIT(buf, value);
+	buffer_append(buffer, buf, 2);
+}
+
 void
 buffer_put_int(Buffer *buffer, u_int value)
 {
Index: bufaux.h
===================================================================
RCS file: /cvs/src/usr.bin/ssh/bufaux.h,v
retrieving revision 1.17
diff -u -r1.17 bufaux.h
--- bufaux.h	18 Mar 2002 17:25:29 -0000	1.17
+++ bufaux.h	19 Apr 2002 12:55:56 -0000
@@ -23,6 +23,9 @@
 void	buffer_get_bignum(Buffer *, BIGNUM *);
 void	buffer_get_bignum2(Buffer *, BIGNUM *);

+u_short	buffer_get_short(Buffer *);
+void	buffer_put_short(Buffer *, u_short);
+
 u_int	buffer_get_int(Buffer *);
 void    buffer_put_int(Buffer *, u_int);





More information about the openssh-unix-dev mailing list