OpenSSH Local Root Hole

maelstrom writes: "Looks like someone's found a local root exploit for OpenSSH versions between 2.0 and 3.0.2. Seems as though its a one-off error, there is no public exploit, but there is sure to be one shortly. They aren't ruling out remote exploit. Recommending patching and upgrading ASAP."

Correction: off-by-one

[MarkusQ]

Seems as though its a one-off error

One-off: Something done intentionally but with no intention of repeating; a custom product, sample, or prototype.

Off-by-one error: An error in enumeration, such as starting or ending a count at the wrong value (e.g. 0 vs. 1), counting the starting/ending value in a cycle twice or not at all (e.g. in counting a group of people which includes yourself), counting delimiters as opposed to the items delimited (e.g. the "fence post" problem), or any analogous error.

These are rather different! When I read the abstract my first thought was "how can they determine that?"

-- MarkusQ

I can't wait for djbssh

[Russ+Nelson]

I can't wait for the Daniel J. Bernstein version of ssh.
-russ

Re:I can't wait for djbssh

you mean the one that requires you to set up 3 accounts for the client, 3 accounts for the server, and comes with its own inetd replacement?

Re:Full disclosure = annoying.

[Sarin]

Nah they don't.;) But I'm working on exploit code as we speak.

Please stop writing network apps in C!

[Tom7]

This kind of bug would NOT BE EXPLOITABLE if sshd was written in a modern safe language.

If the canonical secure software from the canonical secure software people has bugs like this, I don't see how anyone can argue that it's possible to write secure code in C. C makes it easy to make this kind of bug, and the bugs are often exploitable.

Check out my previous post and ensuing discussion on this http://slashdot.org/comments.pl?sid=24271&cid=2629 013 for more info. Synopsis: There are some reasons to use C for a project, but none apply to network daemons. As a proof of concept, I rewrote FTPD in my favorite modern language; the source went from 24,000 lines to 3000 (including support code, like PAM_MD5 password encryption), took me only a weekend to write, and is 100% buffer overflow / format string / heap corruption free.

I'm trying to raise awareness about this because I think it's a real obstacle to us having secure software.

Re:Please stop writing network apps in C!

[MartinG]

How did it cope with 18,000 simultaneous connections? Did you use mmap(), sendfile() and friends on linux to get the best performance possible? How did the xfer rates compare?

BTW, 24,000 lines is a hell of a lot. If you want to compare like for like, have a look at vsftpd by Chris Evans. It's written entirely in c. Have a read of the source - it's quite interesting how it has been done. I would be surprised if you could find a buffer overflow.

I actually do agree with your points mostly, but I would say "Don't use c for network apps unless you have a good reason to" and also "don't use c for network apps unless you _really_ know the hazards"

In some ways SSH is a special case anyway. It has all the intensive maths stuff to do for the session key generation etc. Not a good idea to code that in (eg.) perl imo.

BTW, out of interest, what is your "favorite modern language" ??

Re:Please stop writing network apps in C!

[coyul]

Did you even look at the patch?

--- channels_old.c Mon Mar 4 02:07:06 2002
+++ channels.c Mon Mar 4 02:07:16 2002
@@ -151,7 +151,7 @@
channel_lookup(int id)
{
Channel *c;
- if (id < 0 || id > channels_alloc) {
+ if (id < 0 || id >= channels_alloc) {
log("channel_lookup: %d: bad id", id);
return NULL;
}

You want to explain to me how any "modern safe language" is going to stop me from saying 'greater-than', when I really mean 'greater-than-or-equal-to'?

Re:Please stop writing network apps in C!

[abaptist]

If you look further down in the patch, it then references an array with offset 'id'. In a language like Java this would throw an ArrayIndexOutOfBounds exception, NOT read random memory and possibly cause a crash.

So in fact a stricter language would fix this problem.

Visual Basic

[wiredog]

Has all the features any Modern Programmer could want. And it has the Highly Secure .net framework built in. What more could you want?

Isn't this a bit dodgey?

[SomethingOrOther]

Errrrrm
Isn't it a bit dogey just grabbing and installing a binary (rpm) from an untrusted source (ie you) for security software like SSH ?

I'll get my source code from a reputable mirror and compile it myself thanks.

Performance of network software

[Tom7]

> I cry BS. Your previous post claimed that
> performance was not a reason and yet I don't
> believe you. Wake up and stop acting as the HW
> vendors lobbyist.

Actually, I am a "modern languages" lobbyist, not hardware. =) But that's because I study and believe in programming languages, not because I have some kind of financial interest.

I'd love to respond to your post but I don't know what your point is. I guess all I can do is reiterate my point on performance:

1. sshd, running on my machine for about 8 months, has accumulated a mere 2 minutes and 30 seconds of CPU time. Of course, sshd forks off a new process for each connection, but all of the ones on my machine (some of which are at least a week old) have used 0:00. If someone knows a way I can measure the actual time spent by the daemon, I'd like to hear it, but I assume for now that it is *very small*.

2. I can easily fill my 100Mbps connection without breaking 2% CPU usage. (In other words, sshd is bandwidth limited, not CPU limited.)

3. Most home / small business users do not have 100Mbps connections, and could care less about the difference between 2% or 5% CPU usage.

4. However, most home / small business users DO care about having to download patches when their C programs contain buffer overflows.

5. Modern languages are not actually much slower than C. (I estimate worst case 2x slower, typically more like 20% for SML, which is what I wrote my FTPD in.) Being easier to write in, they also give more opportunity for high-level optimizations.

Therefore, I conclude that for almost every user, security is a more important concern than speed, at least as far as network daemons go. How can you argue the opposite?

Re:*** Help on upgrading a remote server?

[Bluecoat93]

Known to work on Solaris, OpenBSD, and Linux. YMMV elsewhere, but it should work fine.

1) Use SSH to log into your server.

2) Install the new ssh version. Your old version is in memory, so replacing the binary won't have any adverse effect on your connection.

3) Run 'ps -ef | grep sshd' or 'ps auxw | grep sshd' (depending on your UNIX flavor)

4) find the sshd instance with a parent process ID of '1' -- this will be the actual daemon spawend by init. The other process will be the one spawned by sshd itself to handle your connection.

5) kill

6) the parent sshd process will terminate, but yours will stay running

7) start up the new sshd

8) from another workstation or window telnet to port 22 on your server and verify that the version number reflects the new version.

9) from another workstatino or window, ssh into your server to make sure you still have access.

10) close your original ssh session

I've used this exact process to upgrade many machines at remote locations. As long as you verify that the new sshd is running before you close your existing connection, you should have no problems.

Exploiting scenario

[pmf]

After analysis, I can say, that this vulnerability is 4 bytes heap overflow, VERY hard to exploit. Problably only Linux will be affected, because Doug Lea's malloc() depends on control structures located just after malloced buffer.

Re:OpenSSH site already updated?

[BlowCat]

Good thing that it's not a remote root exploit. Otherwise www.openbsd.org would now read:

Four days without a remote hole in the default install!

Not sure if OpenSSH is enabled by default though.