Fw: Alert A-02006C: Vulnerabilita' in OpenSSH

Su questo non so dare un giudizio... mi mancano alcuni elementi, non so
quanto sia difficile realizzare l'exploit
di solito gli exploit per OpenSSH sono molto difficili da reperire e
realizzare. Comunque l'advisory deve essere preso in conto
con la massiama attenzione. Qualcuno è in possesso di maggiori informazioni?
A presto

 Fausto


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> ******************************************************************
>
>    Alert ID: A-02006C
>
>    Data di creazione: Wed Jun 26 19:56:17 CEST 2002
>
>    Titolo: Vulnerabilita' in OpenSSH
>
>    Gravita': alta
>
> ******************************************************************
>
> E' stato riscontrato un bug in OpenSSH che ne rende vulnerabili tutte le
> versioni tra la 2.9.9 e la 3.3 ed e' stata appena rilasciata una nuova
> versione immune da tale problema.
>
> Il problema puo' essere risolto effettuando un upgrade alla versione
> 3.4p1 disponibile su
> ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz
> ( su http://www.openssh.org c'e' anche una lista di mirror sites) oppure
> modificando la configurazione in sshd_config mediante le istruzioni
> (cfr. advisory OpenSSH):
>
>     Disable ChallengeResponseAuthentication
>
> oppure
>
>     Enable UsePrivilegeSeparation
>
> Maggiori informazioni possono essere reperite agli url:
> http://www.openssh.org/txt/preauth.adv
> http://www.openssh.org/txt/iss.adv
>
>
> Appendice
>
> GARR-CERT Home Page:  http://www.cert.garr.it
>
> - --
>   ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° ° °
> ° Massimo Ianigro                               ..................... °
> ° CNR - IC Istituto di Cristallografia         : tel. +39 080 5442220 °
> ° c/o Dipartimento Geomineralogico,Campus Uni. : fax: +39 080 5442591 °
> ° Via Orabona, 4                    ................................. °
> ° 70125 BARI - I                   : email: massimo.ianigro@ic.cnr.it °
>   °°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE9GgVWiddTNPkaZLURAhEeAKDeGtONrbW9bg/Ajc06joo2ieNEHwCg1pHI
> OEVDhCXoenqCJ5+tVf4oMhE=
> =vwFo
> -----END PGP SIGNATURE-----
>
>
> Subject: Revised OpenSSH Security Advisory (adv.iss)
>
> This is the 2nd revision of the Advisory.
>
> 1. Versions affected:
>
>         Serveral versions of OpenSSH's sshd between 2.3.1 and 3.3
>         contain an input validation error that can result in an
>         integer overflow and privilege escalation.
>
>         All versions between 2.3.1 and 3.3 contain a bug in the
>         PAMAuthenticationViaKbdInt code.
>
>         All versions between 2.9.9 and 3.3 contain a bug in the
>         ChallengeResponseAuthentication code.
>
>         OpenSSH 3.4 and later are not affected.
>
>         OpenSSH 3.2 and later prevent privilege escalation if
>         UsePrivilegeSeparation is enabled in sshd_config.  OpenSSH
>         3.3 enables UsePrivilegeSeparation by default.
>
>         Although some earlier versions are not affected upgrading
>         to OpenSSH 3.4 is recommended, because OpenSSH 3.4 adds
>         checks for a class of potential bugs.
>
> 2. Impact:
>
>         This bug can be exploited remotely if
> ChallengeResponseAuthentication
> is enabled in sshd_config.
>
>         Affected are at least systems supporting s/key over
>         SSH protocol version 2 (OpenBSD, FreeBSD and NetBSD
>         as well as other systems supporting s/key with SSH).
>         Exploitablitly of systems using
> PAMAuthenticationViaKbdInt
> has not been verified.
>
> 3. Short-Term Solution:
>
>         Disable ChallengeResponseAuthentication in sshd_config.
>
> and
>
> Disable PAMAuthenticationViaKbdInt in sshd_config.
>
> Alternatively you can prevent privilege escalation
> if you enable UsePrivilegeSeparation in sshd_config.
>
> 4. Solution:
>
> Upgrade to OpenSSH 3.4 or apply the following patches.
>
> 5. Credits:
>
> ISS.
>
> Appendix:
>
> A:
>
> Index: auth2-chall.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v
> retrieving revision 1.18
> diff -u -r1.18 auth2-chall.c
> --- auth2-chall.c 19 Jun 2002 00:27:55 -0000 1.18
> +++ auth2-chall.c 26 Jun 2002 09:37:03 -0000
> @@ -256,6 +256,8 @@
>
>   authctxt->postponed = 0; /* reset */
>   nresp = packet_get_int();
> + if (nresp > 100)
> + fatal("input_userauth_info_response: nresp too big %u", nresp);
>   if (nresp > 0) {
>   response = xmalloc(nresp * sizeof(char*));
>   for (i = 0; i < nresp; i++)
>
> B:
>
> Index: auth2-pam.c
> ===================================================================
> RCS file: /var/cvs/openssh/auth2-pam.c,v
> retrieving revision 1.12
> diff -u -r1.12 auth2-pam.c
> --- auth2-pam.c 22 Jan 2002 12:43:13 -0000 1.12
> +++ auth2-pam.c 26 Jun 2002 10:12:31 -0000
> @@ -140,6 +140,15 @@
>   nresp = packet_get_int(); /* Number of responses. */
>   debug("got %d responses", nresp);
>
> +
> + if (nresp != context_pam2.num_expected)
> + fatal("%s: Received incorrect number of responses "
> +     "(expected %u, received %u)", __func__, nresp,
> +     context_pam2.num_expected);
> +
> + if (nresp > 100)
> + fatal("%s: too many replies", __func__);
> +
>   for (i = 0; i < nresp; i++) {
>   int j = context_pam2.prompts[i];
>
>
> Synopsis:
>
> ISS X-Force has discovered a serious vulnerability in the default
> installation of OpenSSH on the OpenBSD operating system. OpenSSH is a
> free version of the SSH (Secure Shell) communications suite and is used
> as a secure replacement for protocols such as Telnet, Rlogin, Rsh, and
> Ftp. OpenSSH employs end-to-end encryption (including all passwords) and
> is resistant to network monitoring, eavesdropping, and connection
> hijacking attacks. X-Force is aware of active exploit development for
> this vulnerability.
>
> Impact:
>
> OpenBSD, FreeBSD-Current, and other OpenSSH implementations may be
> vulnerable to a remote, superuser compromise.
>
> Affected Versions:
>
> OpenBSD 3.0
> OpenBSD 3.1
> FreeBSD-Current
> OpenSSH 3.0-3.2.3
>
> OpenSSH version 3.3 implements "privilege separation" which mitigates
> the risk of a superuser compromise. Prior to the release of this
> advisory, ISS and OpenBSD encouraged all OpenSSH users to upgrade to
> version 3.3. Versions of FreeBSD-Current built between March 18, 2002
> and June 23, 2002 are vulnerable to remote superuser compromise.
> Privilege separation was implemented in FreeBSD-Current on June 23,
> 2002.
>
> Note: OpenSSH is included in many operating system distributions,
> networking equipment, and security appliances. Refer to the following
> address for information about vendors that implement OpenSSH:
> http://www.openssh.com/users.html
>
> Description:
>
> A vulnerability exists within the "challenge-response" authentication
> mechanism in the OpenSSH daemon (sshd). This mechanism, part of the SSH2
> protocol, verifies a user's identity by generating a challenge and
> forcing the user to supply a number of responses. It is possible for a
> remote attacker to send a specially-crafted reply that triggers an
> overflow. This can result in a remote denial of service attack on the
> OpenSSH daemon or a complete remote compromise. The OpenSSH daemon runs
> with superuser privilege, so remote attackers can gain superuser access
> by exploiting this vulnerability.
>
> OpenSSH supports the SKEY and BSD_AUTH authentication options. These are
> compile-time options. At least one of these options must be enabled
> before the OpenSSH binaries are compiled for the vulnerable condition to
> be present. OpenBSD 3.0 and later is distributed with BSD_AUTH enabled.
> The SKEY and BSD_AUTH options are not enabled by default in many
> distributions. However, if these options are explicitly enabled, that
> build of OpenSSH may be vulnerable.
>
>
>
>


________________________________________________________
http://www.sikurezza.org - Italian Security Mailing List