[svlug] Fwd: [cert] SSH Authentication VULERABILITY (RedHat)

Bryan -TheBS- Smith thebs at theseus.com
Mon May 15 09:42:04 PDT 2000


Fwd: [cert] SSH Authentication VULERABILITY (RedHat)

Sorry for the cross-posting, but this just came down LEAPLIST here
in Orlando.

This is exactly why I use non-US OpenSSH!!!   I assume this is
SSH-only RPMs.  I have them (downloaded from ftp.redhat.de), but
they are not in use.

Instead, I use OpenSSH.  It is set to use IDEA by default, as is
Tera Term SSH (a Windows client).  Furthermore, I either compile it
without any DES, or get it with the full RSA (from ftp.redhat.de)
as RSARef has holes previously exploited.

Either than, or always compile SSH from source.

   CERT FOLLOWS ...

----------  Forwarded Message:  ----------
Subject: [LeapList] FW: [cert] SSH Authentication Vulnerability (RedHat)
Date: Mon, 15 May 2000 09:25:16 -0700
From: "Coyle, Brian" <Brian.Coyle at disney.com>

For those of you who use Red Hat's SSH packages...

----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ at SECURITYFOCUS.COM]On Behalf Of
Ignacio Kadel-Garcia
Sent: Thursday, May 11, 2000 5:41 AM
To: BUGTRAQ at SECURITYFOCUS.COM
Subject: Re: [cert] SSH Authentication Vulnerability

On Wed, 10 May 2000, John P. McNeely wrote:

> Date: Wed, 10 May 2000 18:15:22 -0400
> From: John P. McNeely <jmcneely at SSES.NET>
> To: BUGTRAQ at SECURITYFOCUS.COM
> Subject: [cert] SSH Authentication Vulnerability
>
> Sword & Shield Enterprise Security, Inc. - Security Advisory
> www.sses.net, Copyright (c) 2000
>
> Advisory:       Secure Shell Authentication Vulnerability
> Release Date:   May 10, 2000
> Application:    sshd
> Severity:       High - A user (local or remote) can log into any account
>                 with a valid login shell.
> Status:         Affected systems should install alternative version.
> Archive:        The advisory sses-002-auth-vul.txt
>                 is available at ftp://ftp.sses.net/pub/security/advisories

GACK! This is scary.

> DESCRIPTION
> -----------
> The vulnerable ssh distribution is patched with defective logic
> related to PAM authentication. The offending code from the patch
> file ssh-1.2.27-pam.patch is:
>
>         +#ifdef HAVE_PAM
>         +  {
>         +     retval = origretval;
>         +     pampasswd = xstrdup(password);
>         +     if (retval == PAM_SUCCESS)
>         +        retval = pam_authenticate ((pam_handle_t *)pamh, 0);
>         +     if (retval == PAM_SUCCESS || retval == PAM_AUTH_ERR)
>         +        retval = pam_acct_mgmt ((pam_handle_t *)pamh, 0);
>         +     xfree(pampasswd);
>         +  }
>         +#else /* HAVE_PAM */
>
> Note the last 'if' statement - in essence whether the pam_authenticate()
> call is successful or not, the pam_acct_mgmt() call is made overwriting
> the contents of retval. Assuming the pam_acct_mgmt() call is
> successful, and it tends to be, then the remaining patch code dealing
> with PAM authentication opens a session with:

In plainer English, it should read and reads in other ssh SRPM
distributions:

           +#ifdef HAVE_PAM
           +  {
           +     retval = origretval;
           +     pampasswd = xstrdup(password);
           +     if (retval == PAM_SUCCESS)
           +        retval = pam_authenticate ((pam_handle_t *)pamh, 0);
           +     if (retval == PAM_SUCCESS)
           +        retval = pam_acct_mgmt ((pam_handle_t *)pamh, 0);
           +     xfree(pampasswd);
           +  }
           +#else /* HAVE_PAM */



This problem does not exist in the very nice Riggs distribution available
at:

ftp://ftp.linuxppc.org/contrib/sources/Applications/Internet/ssh-1.2.27-7a_i
_riggs.src.rpm

ftp://ftp.linuxppc.org/contrib/sources/Applications/Internet/ssh-1.2.27-7a_u
s_riggs.src.rpm

I can recommend it: it's got a very useful patch for logging the tags
from the incoming SSH keys for easier logging of who the midnight root
user was on a shared system, and it's got a nice interactive session
performance patch for X-windows and terminal sessions (involving
TCPNODELAY settings).

I'm very concerned about how and when this modified
ssh-1.2.27-pam.patch was introduced into the ssh SRPM's. Just how far back
did it appear in SSH distributions for RedHat?

Nico Kadel-Garcia		(snipped phonenumbers)


-- 
 Bryan "TheBS" Smith -- Engineer, IT Professional and Hacker
      E-mail:  mailto:thebs at theseus.com,b.j.smith at ieee.org
  Disclaimer:  http://www.SmithConcepts.com/legal.html
*************************************************************
  TheBS ... Serving E-mail filters to /dev/null since 1989






More information about the svlug mailing list