[UNIX] OpenSSH Buffer Management Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 09/17/03
- Previous message: SecuriTeam: "[EXPL] Windows RPC DCOM Long Filename Heap Overflow Exploit (MS03-039)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 17 Sep 2003 13:51:15 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
OpenSSH Buffer Management Vulnerability
------------------------------------------------------------------------
SUMMARY
OpenSSH is a suite of network connectivity tools that can be used to
establish encrypted connections between systems on a network and can
provide interactive login sessions and port forwarding, among other
functions.
The OpenSSH team has announced a bug which affects the OpenSSH buffer
handling code. This bug has the potential of being remotely exploitable.
DETAILS
Versions affected:
All versions of OpenSSH's sshd prior to 3.7.1 contain buffer management
errors. It is uncertain whether these errors are potentially exploitable,
however, we prefer to see bugs fixed proactively.
Other implementations sharing common origin may also have these issues.
Solution:
Upgrade to OpenSSH 3.7.1 or apply the following patch.
Appendix A: patch for OpenSSH 3.6.1 and earlier
Index: buffer.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
retrieving revision 1.16
retrieving revision 1.18
diff -u -r1.16 -r1.18
--- buffer.c 26 Jun 2002 08:54:18 -0000 1.16
+++ buffer.c 16 Sep 2003 21:02:39 -0000 1.18
@@ -23,8 +23,11 @@
void
buffer_init(Buffer *buffer)
{
- buffer->alloc = 4096;
- buffer->buf = xmalloc(buffer->alloc);
+ const u_int len = 4096;
+
+ buffer->alloc = 0;
+ buffer->buf = xmalloc(len);
+ buffer->alloc = len;
buffer->offset = 0;
buffer->end = 0;
}
@@ -34,8 +37,10 @@
void
buffer_free(Buffer *buffer)
{
- memset(buffer->buf, 0, buffer->alloc);
- xfree(buffer->buf);
+ if (buffer->alloc > 0) {
+ memset(buffer->buf, 0, buffer->alloc);
+ xfree(buffer->buf);
+ }
}
/*
@@ -69,6 +74,7 @@
void *
buffer_append_space(Buffer *buffer, u_int len)
{
+ u_int newlen;
void *p;
if (len > 0x100000)
@@ -98,11 +104,13 @@
goto restart;
}
/* Increase the size of the buffer and retry. */
- buffer->alloc += len + 32768;
- if (buffer->alloc > 0xa00000)
+
+ newlen = buffer->alloc + len + 32768;
+ if (newlen > 0xa00000)
fatal("buffer_append_space: alloc %u not supported",
- buffer->alloc);
- buffer->buf = xrealloc(buffer->buf, buffer->alloc);
+ newlen);
+ buffer->buf = xrealloc(buffer->buf, newlen);
+ buffer->alloc = newlen;
goto restart;
/* NOTREACHED */
}
Index: channels.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/channels.c,v
retrieving revision 1.194
retrieving revision 1.195
diff -u -r1.194 -r1.195
--- channels.c 29 Aug 2003 10:04:36 -0000 1.194
+++ channels.c 16 Sep 2003 21:02:40 -0000 1.195
@@ -228,12 +228,13 @@
if (found == -1) {
/* There are no free slots. Take last+1 slot and expand the array.
*/
found = channels_alloc;
- channels_alloc += 10;
if (channels_alloc > 10000)
fatal("channel_new: internal error: channels_alloc %d "
"too big.", channels_alloc);
+ channels = xrealloc(channels,
+ (channels_alloc + 10) * sizeof(Channel *));
+ channels_alloc += 10;
debug2("channel: expanding %d", channels_alloc);
- channels = xrealloc(channels, channels_alloc * sizeof(Channel *));
for (i = found; i < channels_alloc; i++)
channels[i] = NULL;
}
===================================================================
Appendix B: patch for OpenSSH 3.7
Index: buffer.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- buffer.c 16 Sep 2003 03:03:47 -0000 1.17
+++ buffer.c 16 Sep 2003 21:02:39 -0000 1.18
@@ -23,8 +23,11 @@
void
buffer_init(Buffer *buffer)
{
- buffer->alloc = 4096;
- buffer->buf = xmalloc(buffer->alloc);
+ const u_int len = 4096;
+
+ buffer->alloc = 0;
+ buffer->buf = xmalloc(len);
+ buffer->alloc = len;
buffer->offset = 0;
buffer->end = 0;
}
@@ -34,8 +37,10 @@
void
buffer_free(Buffer *buffer)
{
- memset(buffer->buf, 0, buffer->alloc);
- xfree(buffer->buf);
+ if (buffer->alloc > 0) {
+ memset(buffer->buf, 0, buffer->alloc);
+ xfree(buffer->buf);
+ }
}
/*
Index: channels.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/channels.c,v
retrieving revision 1.194
retrieving revision 1.195
diff -u -r1.194 -r1.195
--- channels.c 29 Aug 2003 10:04:36 -0000 1.194
+++ channels.c 16 Sep 2003 21:02:40 -0000 1.195
@@ -228,12 +228,13 @@
if (found == -1) {
/* There are no free slots. Take last+1 slot and expand the array.
*/
found = channels_alloc;
- channels_alloc += 10;
if (channels_alloc > 10000)
fatal("channel_new: internal error: channels_alloc %d "
"too big.", channels_alloc);
+ channels = xrealloc(channels,
+ (channels_alloc + 10) * sizeof(Channel *));
+ channels_alloc += 10;
debug2("channel: expanding %d", channels_alloc);
- channels = xrealloc(channels, channels_alloc * sizeof(Channel *));
for (i = found; i < channels_alloc; i++)
channels[i] = NULL;
}
ADDITIONAL INFORMATION
The original advisory can be downloaded from:
<http://www.openssh.com/txt/buffer.adv>
http://www.openssh.com/txt/buffer.adv.
The information has been provided by OpenSSH.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[EXPL] Windows RPC DCOM Long Filename Heap Overflow Exploit (MS03-039)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- RE: OpenSSH Security Advisory: buffer.adv
... Subject: OpenSSH Security Advisory: buffer.adv ... patch for OpenSSH
3.6.1 and earlier ... >retrieving revision 1.16 ... (SSH) - [alambert@quickfire.org: Heads up -- potential problems in 3.7, too? [Fwd: OpenSSH Security Advisory
... patch for OpenSSH 3.6.1 and earlier ... retrieving revision 1.16 ...
diff -u -r1.194 -r1.195 ... (FreeBSD-Security) - Re: OpenSSH Security Advisory: buffer.adv
... patch for OpenSSH 3.6.1 and earlier ... >retrieving revision
1.16 ... (SSH) - OpenSSH Security Advisory: buffer.adv
... patch for OpenSSH 3.6.1 and earlier ... retrieving revision 1.16 ...
diff -u -r1.194 -r1.195 ... (SSH) - [UNIX] Squirrelmail compose.php Variable Overwriting
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Squirrelmail compose.php
Variable Overwriting ... retrieving revision 1.34.2.11 ... diff -u -r1.319.2.68
compose.php ... (Securiteam)
