OpenSSH Security Advisory (adv.token)

Tue Apr 23 01:37:37 EST 2002

Another reason to upgrade from OpenSSH 2.9.9; I'm not sure if we're
compiled with these features, but...

On Sat, 20 Apr 2002, at 23:39, Niels Provos wrote:

> A buffer overflow exists in OpenSSH's sshd if sshd has been compiled
> with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing
> has been enabled in the sshd_config file.  Ticket and token passing
> is not enabled by default.
>
> 1. Systems affected:
>
>         All Versions of OpenSSH compiled with AFS/Kerberos support
>         and ticket/token passing enabled contain a buffer overflow.
>
>         Ticket/Token passing is disabled by default and available
>         only in protocol version 1.
>
> 2. Impact:
>
>         Remote users may gain privileged access for OpenSSH < 2.9.9
>
>         Local users may gain privileged access for OpenSSH < 3.3
>
>         No privileged access is possible for OpenSSH with
> 	UsePrivsep enabled.
>
> 3. Solution:
>
> 	Apply the following patch and replace radix.c with
> 	http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/radix.c?rev=1.18
>
> 4. Credits:
>
> 	kurt at seifried.org for notifying the OpenSSH team.
> 	http://mantra.freeweb.hu/
>
> Appendix:
>
> Index: bufaux.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/bufaux.c,v
> retrieving revision 1.24
> diff -u -r1.24 bufaux.c
> --- bufaux.c	26 Mar 2002 15:23:40 -0000	1.24
> +++ bufaux.c	19 Apr 2002 12:55:29 -0000
> @@ -137,10 +137,18 @@
>  	BN_bin2bn(bin, len, value);
>  	xfree(bin);
>  }
> -
>  /*
> - * Returns an integer from the buffer (4 bytes, msb first).
> + * Returns integers from the buffer (msb first).
>   */
> +
> +u_short
> +buffer_get_short(Buffer *buffer)
> +{
> +	u_char buf[2];
> +	buffer_get(buffer, (char *) buf, 2);
> +	return GET_16BIT(buf);
> +}
> +
>  u_int
>  buffer_get_int(Buffer *buffer)
>  {
> @@ -158,8 +166,16 @@
>  }
>
>  /*
> - * Stores an integer in the buffer in 4 bytes, msb first.
> + * Stores integers in the buffer, msb first.
>   */
> +void
> +buffer_put_short(Buffer *buffer, u_short value)
> +{
> +	char buf[2];
> +	PUT_16BIT(buf, value);
> +	buffer_append(buffer, buf, 2);
> +}
> +
>  void
>  buffer_put_int(Buffer *buffer, u_int value)
>  {
> Index: bufaux.h
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/bufaux.h,v
> retrieving revision 1.17
> diff -u -r1.17 bufaux.h
> --- bufaux.h	18 Mar 2002 17:25:29 -0000	1.17
> +++ bufaux.h	19 Apr 2002 12:55:56 -0000
> @@ -23,6 +23,9 @@
>  void	buffer_get_bignum(Buffer *, BIGNUM *);
>  void	buffer_get_bignum2(Buffer *, BIGNUM *);
>
> +u_short	buffer_get_short(Buffer *);
> +void	buffer_put_short(Buffer *, u_short);
> +
>  u_int	buffer_get_int(Buffer *);
>  void    buffer_put_int(Buffer *, u_int);
>
>

-- 
Todd Herr                                                 therr at rr.com
Systems Administrator, Road Runner                        703.345.2447
The above message includes the opinions and thoughts of the author and
       does not necessarily represent the views of his employer.