zlib compression, the exploit, and OpenSSH

ewheeler at kaico.com ewheeler at kaico.com
Thu Mar 14 09:17:39 EST 2002 

Damien --

I should have tagged this on my previous email, but oops!

> > 2.  What are the logistics of moving all non-critical external library
> > calls (zlib in this case, but others if they exist) *after*
> > authentication?
> 
> Not easy, what's "non-critical"?

Well, zlib could be considered "non-critical" before authentication --
The amount of data passed during authentication is small and need not be
compressed (IMO).  I am not familiar enough with OpenSSH's code to know if
there are other superflous calls, and none of the debug output gives a
hint to something which could wait until after auth.  

As I understand the SSH protocol, enabling zlib compression
(SSH_CMSG_REQUEST_COMPRESSION) /could/ be done after authentication if the
code to handle SSH_CMSG_REQUEST_COMPRESSION was implemented in the body of
the ssh protocol rather than only during prep.  If this breaks RFC, it
could be an option in sshd_config and ssh_config so other ssh
implementations can still work with it if necessary.


--Eric

On Thu, 14 Mar 2002, Damien Miller wrote:

> On Wed, 13 Mar 2002, ewheeler at kaico.com wrote:
> 
> >   Attached is a zlib advisory and a debug dump of ssh with compression
> > enabled.  Most of the debug is superflous, so I have underlined the two
> > points to look at.  When creating an ssh connection, compression on the
> > line is done *before* authentication -- This means an unauthorized
> > attacker could, conceivable, leverage root access by connecting with to
> > the ssh server requesting zlib compression and sending a specialy tailored
> > packet.  The CERT advisory for zlib's bug is also attached.
> > 
> >   I would like to start a discussion on the following points:
> > 
> > 1.  What is the exposure to this bug?
> 
> The vulnerability can be triggered, but whether this can be leveraged
> into an exploit remains to be seen.
> 
> 
> > 3.  Does OpenSSH statically link (or can it/does it by default) to the
> > zlib library -- will updating the zlib library to 1.1.4 take care of the
> > situation?
> 
> Depends on the system.
> 
> > 4.  Are there any proactive measures besides moving non-critical library
> > calls after authentication which could be done within the OpenSSH code?
> 
> Work is underway to improve things:
> 
> http://www.citi.umich.edu/u/provos/ssh/privsep.html
> 
> -d
> 
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> 

-- 

Eric Wheeler
Network Administrator
KAICO
20417 SW 70th Ave.
Tualatin, OR 97062
www.kaico.com
Voice: 503.692.5268

More information about the openssh-unix-dev mailing list