[svlug] Fwd: [cert] SSH Authentication VULERABILITY (RedHat)

Bryan -TheBS- Smith thebs at theseus.com
Mon May 15 09:42:04 PDT 2000

Fwd: [cert] SSH Authentication VULERABILITY (RedHat)

Sorry for the cross-posting, but this just came down LEAPLIST here
in Orlando.

This is exactly why I use non-US OpenSSH!!!   I assume this is
SSH-only RPMs.  I have them (downloaded from ftp.redhat.de), but
they are not in use.

Instead, I use OpenSSH.  It is set to use IDEA by default, as is
Tera Term SSH (a Windows client).  Furthermore, I either compile it
without any DES, or get it with the full RSA (from ftp.redhat.de)
as RSARef has holes previously exploited.

Either than, or always compile SSH from source.


----------  Forwarded Message:  ----------
Subject: [LeapList] FW: [cert] SSH Authentication Vulnerability (RedHat)
Date: Mon, 15 May 2000 09:25:16 -0700
From: "Coyle, Brian" <Brian.Coyle at disney.com>

For those of you who use Red Hat's SSH packages...

----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ at SECURITYFOCUS.COM]On Behalf Of
Ignacio Kadel-Garcia
Sent: Thursday, May 11, 2000 5:41 AM
Subject: Re: [cert] SSH Authentication Vulnerability

On Wed, 10 May 2000, John P. McNeely wrote:

> Date: Wed, 10 May 2000 18:15:22 -0400
> From: John P. McNeely <jmcneely at SSES.NET>
> Subject: [cert] SSH Authentication Vulnerability
> Sword & Shield Enterprise Security, Inc. - Security Advisory
> www.sses.net, Copyright (c) 2000
> Advisory:       Secure Shell Authentication Vulnerability
> Release Date:   May 10, 2000
> Application:    sshd
> Severity:       High - A user (local or remote) can log into any account
>                 with a valid login shell.
> Status:         Affected systems should install alternative version.
> Archive:        The advisory sses-002-auth-vul.txt
>                 is available at ftp://ftp.sses.net/pub/security/advisories

GACK! This is scary.

> -----------
> The vulnerable ssh distribution is patched with defective logic
> related to PAM authentication. The offending code from the patch
> file ssh-1.2.27-pam.patch is:
>         +#ifdef HAVE_PAM
>         +  {
>         +     retval = origretval;
>         +     pampasswd = xstrdup(password);
>         +     if (retval == PAM_SUCCESS)
>         +        retval = pam_authenticate ((pam_handle_t *)pamh, 0);
>         +     if (retval == PAM_SUCCESS || retval == PAM_AUTH_ERR)
>         +        retval = pam_acct_mgmt ((pam_handle_t *)pamh, 0);
>         +     xfree(pampasswd);
>         +  }
>         +#else /* HAVE_PAM */
> Note the last 'if' statement - in essence whether the pam_authenticate()
> call is successful or not, the pam_acct_mgmt() call is made overwriting
> the contents of retval. Assuming the pam_acct_mgmt() call is
> successful, and it tends to be, then the remaining patch code dealing
> with PAM authentication opens a session with:

In plainer English, it should read and reads in other ssh SRPM

           +#ifdef HAVE_PAM
           +  {
           +     retval = origretval;
           +     pampasswd = xstrdup(password);
           +     if (retval == PAM_SUCCESS)
           +        retval = pam_authenticate ((pam_handle_t *)pamh, 0);
           +     if (retval == PAM_SUCCESS)
           +        retval = pam_acct_mgmt ((pam_handle_t *)pamh, 0);
           +     xfree(pampasswd);
           +  }
           +#else /* HAVE_PAM */

This problem does not exist in the very nice Riggs distribution available



I can recommend it: it's got a very useful patch for logging the tags
from the incoming SSH keys for easier logging of who the midnight root
user was on a shared system, and it's got a nice interactive session
performance patch for X-windows and terminal sessions (involving
TCPNODELAY settings).

I'm very concerned about how and when this modified
ssh-1.2.27-pam.patch was introduced into the ssh SRPM's. Just how far back
did it appear in SSH distributions for RedHat?

Nico Kadel-Garcia		(snipped phonenumbers)

 Bryan "TheBS" Smith -- Engineer, IT Professional and Hacker
      E-mail:  mailto:thebs at theseus.com,b.j.smith at ieee.org
  Disclaimer:  http://www.SmithConcepts.com/legal.html
  TheBS ... Serving E-mail filters to /dev/null since 1989

More information about the svlug mailing list