Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vulnerability In SSH1

Posted by Hemos on from the no-good-for-any-one dept.

matt666 writes "Bindview released an advisory yesterday warning us that "[a]n integer-overflow problem is present in common code of recent ssh daemons, deattack.c, which was developed by CORE SDI to protect against cryptographic attacks on SSH protocol. [...] This effectively allows an attacker to overwrite arbitrary portions of memory". Practically all common versions of SSH1 are affected, except OpenSSH 2.3.0." A whole slew of people have written in regarding this - from the folks at SmoothWall advising of an update, to a bunch of people just saying "Oh No!". My understanding is that a fix is already in the works.

15 of 118 comments (clear)

  1. FreeBSD users: Have fun with this one. by Wakko+Warner · · Score: 3
    I'm running 3.4-STABLE (yeah, I know, everyone and their dog keeps telling me to upgrade, but it works), and I basically had to rewrite ssh to get the fucking thing to compile, as it wouldn't compile from source.

    Go to the ports directory, you say. That doesn't compile either. the SSH2 port doesn't compile either! Neither will OpenSSH (it warns about remote root exploits, really helpful), and the latest maintained official ssh1 version is 1.2.27.

    I expect to find a lot of rootable old FreeBSD boxes out there. :(

    - A.P.

    --
    * CmdrTaco is an idiot.

    --
    "Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
  2. Re:Fix is VERY simple by BlueLines · · Score: 3

    Not true. There were two seperate vulnerabilites announced yesterday. The first just involves changing the static word16 to a static word32, but the second attack involved connecting many times to determine a session key. With the session key (and a sniffed session), one could decrypt the entire ssh session. Here's the patch for this on (for ssh-1.2.31 and below):

    --- rsaglue.c 1999/12/10 23:27:25 1.8
    +++ rsaglue.c 2001/02/03 09:42:05
    @@ -264,7 +268,15 @@
    mpz_clear(&aux);

    if (value[0] != 0 || value[1] != 2)
    - fatal("Bad result from rsa_private_decrypt");
    + {
    + static time_t last_kill_time = 0;
    + if (time(NULL) - last_kill_time > 60 && getppid() != 1)
    + {
    + last_kill_time = time(NULL);
    + kill(SIGALRM, getppid());
    + }
    + fatal("Bad result from rsa_private_decrypt");
    + }

    for (i = 2; i len && value[i]; i++)
    ;

    and here's the previously discussed patch:

    --- ssh-1.2.31/deattack.c-old Wed Feb 7 19:45:16 2001
    +++ ssh-1.2.31/deattack.c Wed Feb 7 19:54:11 2001
    @@ -79,7 +79,7 @@
    detect_attack(unsigned char *buf, word32 len, unsigned char *IV)
    {
    static word16 *h = (word16 *) NULL;
    - static word16 n = HASH_MINSIZE / HASH_ENTRYSIZE;
    + static word32 n = HASH_MINSIZE / HASH_ENTRYSIZE;
    register word32 i, j;
    word32 l;
    register unsigned char *c;

    Also, it should be pointed out that openssh-2.3.0 isn't supported on openBSD =2.6, so if you run an older openBSD, you either have to upgrade or switch to ssh.com's ssh....

    --
    --BlueLines "The cost of living hasn't affected it's popularity." -anonymous
  3. Re:Unsafe Languages by roca · · Score: 3

    You are wrong. The present exploit has everything to do with buffer overflows. In this case the "buffer" is a hash table; the exploit depends on writing data outside the bounds of the hash table, which would be caught by a safe language.

  4. You got it backwards... by CrayDrygu · · Score: 3
    I know, don't feed the trolls, but this one's just so obvious...

    1) This affects all common implementations, including the commercial one from SSH.com

    2) This doesn't affect OpenSSH 2.3.0, which is Open Source!

    Suck it.

    --

    --

    --
    "I personal[ly] think Unix is "superior" because on LSD it tastes like Blue." -- jbarnett

  5. OpenSSH rocks, once again by MicroBerto · · Score: 3
    This is from the link on bindview:
    ** Vulnerable: SSH 1.2.x (ssh.com) -- all recent releases F-SECURE SSH 1.3.x -- all recent releases OpenSSH prior to 2.3.0 (unless SSH protocol 1 support is disabled) OSSH 1.5.7 (by Bjoern Groenvall) and other ssh1/OpenSSH derived daemons

    ** Not vulnerable:

    SSH2 (ssh.com): all 2.x releases NOTE: SSH2 installations with SSH1 fallback support are vulnerable OpenSSH 2.3.0 (problem fixed) SSH1 releases prior to 1.2.24 (vulnerable to crc attacks) Cisco SSH (own implementation) LSH (SSH protocol 1 not supported)
    Now, are there any reasons NOT to be using OpenSSH? I've had 2.3.0+ for some time, and it seems to have a great track record!

    Mike Roberto
    - GAIM: MicroBerto
    --
    Berto
  6. Re:Fix is VERY simple by fatphil · · Score: 3

    Indeed you're right.
    I find it odd that commercial companies, like our F-Secure, have been to tight to buy a copy of ProLint and run it, or have willfully ignored the warning messages that it would produce.
    The 10 commandments of C programming still hold true...

    FatPhil


    -- Real Men Don't Use Porn. -- Morality In Media Billboards

    --
    Also FatPhil on SoylentNews, id 863
  7. I can just see it... by Karma+Sink · · Score: 3

    It's a race against the clock... All the Skript Kiddies who read /. settle in against all the sys admins... ready, set, go! Which one's easier to find, the patch, ot the 'Sploit? Hurry, hurry!!!

    --

    When encryption is outlawed, ?o'AZ-,++o+i++##4AoA+-/-C++bI+/.+~
  8. SSH isn't enough by BEHiker57W · · Score: 3
    Sure OpenSSH will protect you when you log into your *nix box. But what happens when you go to get your POP mail from your ISP? You send out your password in plaintext and then your mail is completely vulnerable. Does anyone make a mail server that encrypts with common clients?

    -Brian

  9. Fix is VERY simple by Ruzty · · Score: 4

    You need to change a single variable declaration in one function and re-make. This is difficult to abuse and simple to correct.

    Refer to the article for the patch/change.
    -Rusty

    --
    The Master (Angelo Rossitto) in Mad Max Beyond Thunderdome, "Not shit, energy!"
  10. Re:switch to openSSH by mkettler · · Score: 5
    I had similar troubles trying to compile OpenSSH on my linux box. Then I discovered they have a separate "portable" distribution for non OpenBSD boxes. I picked the portable one, ./cofigure; make; make install, done.

    The "standard" tarball linked under "getting source" on the OpenSSH page is for OpenBSD and does not have a configure script, just a installer.

    If you download OpenSSH for a non OpenBSD box, make sure you pick the portable version. (under operating systems click on your operating system, or go to: http://www.openssh.com/portable.html).

    --
    -Matt
  11. Re:Software vulnerabilities by Multiple+Sanchez · · Score: 5

    Script kiddie this, script kiddie that. I'm sick of it. I pay my taxes, I'm balding, I'm in serious debt to MasterCard... I'm a script adult.

  12. switch to openSSH by Saint+Nobody · · Score: 5

    there were arguments to switch to openssh before, but never one that was this practical in nature.

    the only downside of openssh that i've seen was that it was a pain to figure out which compile-time options i needed. make sure you know exactly how your passwords are stored on your box. once i had that figured out, i liked it better than i ever liked the commercial SSH.

    --
    #define F(x) int main(){printf(#x,10,#x);}
    F(#define F(x) int main(){printf(#x,10,#x);}%cF(%s))
  13. All this wouldn't have happened... by SpanishInquisition · · Score: 5
    ...if we still used telnet.

    --
    Je t'aime Stéphanie
  14. Debian Users... by Xibby · · Score: 5

    Debian 2.2 OpenSSH package has allready been fixed. As usual, they have backported the fix to the version of ssh in stable (v1.2.3).

    Make sure you have the Debian security sources in /etc/apt/sources.list, then apt-get update && apt-get upgrade.

    deb http://security.debian.org/ stable/updates main contrib non-free deb-src http://security.debian.org/ stable/updates main contrib non-free

    /usr/share/doc/ssh/changelog.Debian.gz
    openssh (1:1.2.3-9.2) stable; urgency=high
    * Non-maintainer upload by Security Team
    * Added backported fix for a buffer overflow (thanks to Piotr Roszatycki)
    * Added modified build dependencies from unstable for convenience
    * Added patch that fixes an rsa key exchange problem made public by CORE SDI.

    -- Martin Schulze Thu, 8 Feb 2001 22:15:04 +0100

    --
    I'm going to go back in my box and will think within the limits of my box: MS Sucks Linux Good I read too much Slashdot.
  15. Re:Here's the patch and how to apply it by Wills · · Score: 5

    What is it with caching contents of a POST method -- netscape picked up its cached version of my previous post...

    Last correction: patch < deattack.c.patch using the following text copied into deattack.c.patch

    --- deattack.c Wed May 12 12:19:25 1999
    +++ deattack.c.orig Fri Feb 9 20:00:21 2001
    @@ -79,7 +79,7 @@
    detect_attack(unsigned char *buf, word32 len, unsigned char *IV)
    {
    static word16 *h = (word16 *) NULL;
    - static word16 n = HASH_MINSIZE / HASH_ENTRYSIZE;
    + static word32 n = HASH_MINSIZE / HASH_ENTRYSIZE;
    register word32 i, j;
    word32 l;
    register unsigned char *c;

    --
    Scroogle