[UNIX] OpenSSH IP Restriction Bypass (adv.option, Patch Available)
From: support@securiteam.comDate: 09/27/01
- Previous message: support@securiteam.com: "[NT] Deeply nested OWA Request Can Consume Server CPU Availability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [UNIX] OpenSSH IP Restriction Bypass (adv.option, Patch Available) Message-Id: <20010927174051.E76AD138BF@mail.der-keiler.de> Date: Thu, 27 Sep 2001 19:40:51 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
OpenSSH IP Restriction Bypass (adv.option, Patch Available)
------------------------------------------------------------------------
SUMMARY
Depending on the order of the user keys in ~/.ssh/authorized_keys2 SSHd
might fail to apply the source IP based access control restriction (e.g.
from="10.0.0.1") to the correct key:
If a source IP restricted key (e.g. DSA key) is immediately followed by a
key of a different type (e.g. RSA key), then key options for the second
key are applied to both keys, which includes 'from='.
DETAILS
Vulnerable systems:
Versions of OpenSSH between 2.5.x and 2.9.x using the 'from=' key file
option in combination with both RSA and DSA keys in
~/.ssh/authorized_keys2.
Immune systems:
OpenSSH version 2.9.9
Impact:
Users can circumvent the system policy and login from disallowed source IP
addresses.
Solution:
Apply the following patch.
Index: key.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/key.c,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -p -IRCSID -r1.31 -r1.32
--- key.c 2001/09/17 20:50:22 1.31
+++ key.c 2001/09/19 13:23:29 1.32
@@ -358,7 +358,7 @@ write_bignum(FILE *f, BIGNUM *num)
return 1;
}
-/* returns 1 ok, -1 error, 0 type mismatch */
+/* returns 1 ok, -1 error */
int
key_read(Key *ret, char **cpp)
{
@@ -413,7 +413,7 @@ key_read(Key *ret, char **cpp)
} else if (ret->type != type) {
/* is a key, but different type */
debug3("key_read: type mismatch");
- return 0;
+ return -1;
}
len = 2*strlen(cp);
blob = xmalloc(len);
ADDITIONAL INFORMATION
The information has been provided by <mailto:markus@openbsd.org> Markus
Friedl.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Deeply nested OWA Request Can Consume Server CPU Availability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
