OpenSSH Security Advisory - local root exploit

Tuesday, 23 April 2002, 2:32 AM EST

A buffer overflow exists in OpenSSH's sshd if sshd has been compiled
with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing
has been enabled in the sshd_config file. Ticket and token passing
is not enabled by default.

1. Systems affected:

All Versions of OpenSSH compiled with AFS/Kerberos support and ticket/token passing enabled contain a buffer overflow.

Ticket/Token passing is disabled by default and available only in protocol version 1.

2. Impact:

Remote users may gain privileged access for OpenSSH < 2.9.9

Local users may gain privileged access for OpenSSH < 3.3

No privileged access is possible for OpenSSH with sePrivsep enabled.

3. Solution:

Apply the following patch and replace radix.c with
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/radix.c?rev=1.18

4. Credits:

kurt@seifried.org for notifying the OpenSSH team.
http://mantra.freeweb.hu/

Appendix:

Index: bufaux.c
==================================
RCS file: /cvs/src/usr.bin/ssh/bufaux.c,v
retrieving revision 1.24
diff -u -r1.24 bufaux.c
--- bufaux.c 26 Mar 2002 15:23:40 -0000 1.24
+++ bufaux.c 19 Apr 2002 12:55:29 -0000
@@ -137,10 +137,18 @@
BN_bin2bn(bin, len, value);
xfree(bin);
}
-
/*
- * Returns an integer from the buffer (4 bytes, msb first).
+ * Returns integers from the buffer (msb first).
*/
+
+u_short
+buffer_get_short(Buffer *buffer)
+{
+ u_char buf[2];
+ buffer_get(buffer, (char *) buf, 2);
+ return GET_16BIT(buf);
+}
+
u_int
buffer_get_int(Buffer *buffer)
{
@@ -158,8 +166,16 @@
}

/*
- * Stores an integer in the buffer in 4 bytes, msb first.
+ * Stores integers in the buffer, msb first.
*/
+void
+buffer_put_short(Buffer *buffer, u_short value)
+{
+ char buf[2];
+ PUT_16BIT(buf, value);
+ buffer_append(buffer, buf, 2);
+}
+
void
buffer_put_int(Buffer *buffer, u_int value)
{
Index: bufaux.h
==================================
RCS file: /cvs/src/usr.bin/ssh/bufaux.h,v
retrieving revision 1.17
diff -u -r1.17 bufaux.h
--- bufaux.h 18 Mar 2002 17:25:29 -0000 1.17
+++ bufaux.h 19 Apr 2002 12:55:56 -0000
@@ -23,6 +23,9 @@
void buffer_get_bignum(Buffer *, BIGNUM *);
void buffer_get_bignum2(Buffer *, BIGNUM *);

+u_short buffer_get_short(Buffer *);
+void buffer_put_short(Buffer *, u_short);
+
u_int buffer_get_int(Buffer *);
void buffer_put_int(Buffer *, u_int);

[ Read more ]




Spotlight

Whitepaper: Zero Trust approach to network security

Posted on 20 November 2014.  |  Zero Trust is an alternative security model that addresses the shortcomings of failing perimeter-centric strategies by removing the assumption of trust.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Nov 21st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //