zlib compression, the exploit, and OpenSSH

[ewheeler at kaico.com]

Damien --
  Do you know when the changes listed at
http://www.citi.umich.edu/u/provos/ssh/privsep.html will be merged into
the OpenSSH tree, or if they ever will (or, I suppose, already have
been)?  I have not looked yet, but is there documention on setting up
privilege separation?

--Eric
  
On Thu, 14 Mar 2002, Damien Miller wrote:

> On Wed, 13 Mar 2002, ewheeler at kaico.com wrote:
> 
> >   Attached is a zlib advisory and a debug dump of ssh with compression
> > enabled.  Most of the debug is superflous, so I have underlined the two
> > points to look at.  When creating an ssh connection, compression on the
> > line is done *before* authentication -- This means an unauthorized
> > attacker could, conceivable, leverage root access by connecting with to
> > the ssh server requesting zlib compression and sending a specialy tailored
> > packet.  The CERT advisory for zlib's bug is also attached.
> > 
> >   I would like to start a discussion on the following points:
> > 
> > 1.  What is the exposure to this bug?
> 
> The vulnerability can be triggered, but whether this can be leveraged
> into an exploit remains to be seen.
> 
> > 2.  What are the logistics of moving all non-critical external library
> > calls (zlib in this case, but others if they exist) *after*
> > authentication?
> 
> Not easy, what's "non-critical"?
> 
> > 3.  Does OpenSSH statically link (or can it/does it by default) to the
> > zlib library -- will updating the zlib library to 1.1.4 take care of the
> > situation?
> 
> Depends on the system.
> 
> > 4.  Are there any proactive measures besides moving non-critical
library
> > calls after authentication which could be done within the OpenSSH code?
> 
> Work is underway to improve things:
> 
> http://www.citi.umich.edu/u/provos/ssh/privsep.html
> 
> -d
> 

-- 

Eric Wheeler
Network Administrator
KAICO
20417 SW 70th Ave.
Tualatin, OR 97062
www.kaico.com
Voice: 503.692.5268