Remote Root Exploit In lsh

skookum writes "After last week's OpenSSH patch-fest, a lot of people suggested GNU lsh as a replacement. Unfortunately, it seems that the lsh team has recently discovered a heap overflow bug of their own that can lead to compromise. An exploit was posted to BugTraq two days ago. Happy patching."

How thoughtful

[dtfinch]

Thanks for the link to the exploit code, I guess. We really needed that.

Re:How thoughtful

[mcpkaaos]

Think of it this way:

With the exploit patched, releasing the code for the exploit is one hell of a confident way to say, "Hey, we patched it." It also allows anyone to make sure that the machines they are responsible are, in fact, patched.

If you ask me, this beats the hell out of either admitting to an exploit and keeping the details hidden regardless of whether or not it's patched.. or just not squeaking any info about any exploit whatsoever.

Or.. think of it this way:

Maybe it's just a sure-fire way to light a fire under your ass to apply the necessary patch before someone figures out the exploit and turns your computer into another node in yet another attempt to DDoS microsoft.com.

Take yer pick, I guess. :)

Re:How thoughtful

[skookum]

Do you honestly think that the kind of people that would want to use such an exploit would actually learn about it from slashdot? Don't you think they'd know how to find the BugTraq archives themselves?

Do you honestly think that by pretending that an exploit doesn't exist you're any safer? Do you think you will patch your systems (and urge your supervisors to grant you the priority to patch those systems) faster knowing that an exploit is easily available? Do you not agree that it doesn't matter whether you feel good or bad about the situation, what matters is how fast and to what extent all vulnerable systems are patched? Do you not think that knowing of an exploit helps that goal?

Re:How thoughtful

A link to the exploit is a good thing (at least for sysadmins and developers that are actually paying attention!). Consider the OpenSSH bugs from last week where so many claims of "I tried the exploit against OpenBSD and it worked" (for instance). 'The exploit' in this case appears to have been a complete fiction. Some, like the FreeBSD team, don't believe it is even possible to come up with an exploit on thier OS-- the OpenBSD team more or less said they can't see how it could be exploited (and nobody external to the project has come forward with any suggestions).

One can only conclude the whole thing was over-blown and their are a few individuals that are anxious to see as much damage done to the OpenSSH developers reputation as possible (and aren't concerned how they do this). Thus many sysadmins ended up patching their systems in a mad rush twice in two days, when one patch applied with less urgency really would have been sufficient.

At least in this case, if the exploit has been coughed up, you know the problem is absolutely real, and not just FUD.

Re:How thoughtful

[AKnightCowboy]

People can know their system is patched by patching their system. They dont need to test the exploit on it.

Actually, yes, some of us need to. Part of our security policy is to test an exploit (if available) against the patched system to verify the system is not vulnerable. Blindly accepting that "yes, the magic version number has changed so I am safe" is not reasonable for many people. It's always best to disseminate exploits as fast and as far as possible to get people to patch their systems. Take for example the recent Windows RPC vulnerabilities. 75% of the people wouldn't have patched it this year if it hadn't have been for the Blaster worm.

Ha-Ha

I find it entertaining that the GNU zealot hippies suggest lsh as a replacement. That's like suggesting that the HURD is a replacement for the Linux kernel. Always trying to one-up the *BSD people by making something "more free", but never living up to the hype.

BTW, *who* uses lsh????

Re:Ha-Ha

[larry+bagina]

liar. NetBSD kernel (and probably open + free as well) can be built with gcc, lcc, icc, sun's cc, and hp's cc, among others.

The *BSD userland code is generally less compiler and architecture dependent than GNU or "linux" utilities. The instructions for any non-trivial GNU or linux utility usually start off by telling you to install GCC, gnu/make, gnu/flex, gnu/bison, etc before you can compile it. lots of "linux" software won't build or run properly on anything but linux/x86

Compare that to BSD code which is useable as-is almost anywhere (it's been used by Windows 95-xp, Solaris, Aix, HPUX, OpenVMS, MacOS 7-X, minix, ATT SYS V, XINU, Xenix, etc)

What is the point of lsh?

Does it exist solely because of the non-GNUness of other implementations?

What idiots.

Can someone explain to me why..

We have a GNU ordained version of the SSH protocols when OpenSSH is doing a fantastic job?

Even if you are going to argue the BSD vs. GPL license issue, the lsh devs could have just taken the OpenSSH code, made some slight changes, and re-released it under the GPL.

So again I ask: Why?

GPL?

[ashkar]

Why would anyone voluntarily use software liscenced under the GPL when there is a much better, more servicable, and well tested application that runs under a less restrictive liscence? With the speed OpenSSH was patched, what is there to complain about. I mean, people still use sendmail with its track record of security bugs galore. It's unlikely anyone will switch because of a single bug.

BSD, the way the world is supposed to be.

Telnet

[Henry+V+.009]

I was going to repeat "switch to Telnet joke" that I made last time, but I just can't get up will this time. These bugs are killing us. I seriously think that we need to take some time to consider how Open Source projects do security. The "more eyes" mantra doesn't cut it. We need security models, standards, testing, and god knows what else. We need to look at which projects have been successful, and which have been miserable security failures. I know the open source community can do a lot better.

Re:Telnet

[daeley]

While I would agree with you in the abstract that the open source community can do a lot better on some things, the bug was confirmed 2 days ago and patched immediately. Good software !== no bugs ever.

Re:Telnet

[ajs]

These bugs are not killing us. In fact, they're helping us to make our code stronger.

I'm so sick of the "there are bugs in it, let's switch" mentallity. There are bugs in every piece of software ever written. Why? Because human beings have a hard time specifying exactly what they want.

Sometimes those bugs are dangerous (as in buffer overflows), but if you look at your average piece of source code long enough -- source of ANY number of lines -- I bet you can find a bug in it.

So, we should all switch to the abacus? No, we should all make sure we spend time and money on the problem of finding bugs before the black-hats do. And that's why I buy software like Red Hat... because they actually spend some of that money on auditing for security, and I like the results (many bugs found and killed).

Re:Telnet

[TomV]

Why the hell not? Good bridges are the ones that don't fall down

That's not the same as saying that good bridges have no faults. Bridges are built with a large safety factor. A large amount of the steel wire in the Brooklyn Bridge cables is hideously substandard, slipped in there by a currupt subcontractor. But because the safety factors were in place, even though the cables are probably about 5/6 as strong as they were designed to be, because they were designed to be 4 times as strong as strictly necessary, the Brooklyn Bridge is still there today. They paid for a lot more steel than strictly necessary, but they were proved right to have done so.

The bridge is Verifiably Strong Enough, but it certainly isn't Fault-Free. It was a product of defensive engineering, and software containing the inevitable bugs can be made much safer by taking a defensive approach to programming. It's better not to have an out-of-bounds situation at all, but that's no reason not to do bounds-checking wherever an OOB might pose a hazard. Yes it costs money to code all those extra checks, but that's what engineers do in most other disciplines.

TomV

Re:Telnet

[zangdesign]

I think the idea here was that security should be considered at every step of the way, which is absolutely true. While the speed of fixing the bug is certainly commendable, it should not have been there in the first place as this is a fairly common mistake.

I can understand it from someone new to programming, but if it's going to be something that is touted as being secure, that should be the first consideration in every line of code. Especially if it's something that allows deep access into the system.

I realize that such an undertaking is herculean, but that is what we, as programmers, should shoot for every time.

Re:Telnet

[Bronster]

In addition, a fix was checked in within four hours. 14 hours later, exploit code was posted to SecurityFocus, in the afternoon. Any admin who checked the lsh mailing list in the morning would have seen the error and the fix, and been well ahead of the exploit.

#include <standard f&*(ing merkin who thinks the world is all merkia>

Re:Telnet

[zCyl]

It was a product of defensive engineering, and software containing the inevitable bugs can be made much safer by taking a defensive approach to programming. It's better not to have an out-of-bounds situation at all, but that's no reason not to do bounds-checking wherever an OOB might pose a hazard. Yes it costs money to code all those extra checks, but that's what engineers do in most other disciplines.

Exactly. And the only reason this is different with bridges is because people don't ACCEPT bridges falling, we consider it a tragedy, so we're willing to accept the amount of resource investment it takes to make the bridge stable with redundant defensive systems. And it's precisely this reason that we need to get rid of the attitude that having security holes in software is acceptable and unavoidable. (Thus, the above post not being a troll post.)

Materials have defects, so engineers got used to compensating for this with redundant systems, and the end result is a structure which is typically stable and fault tolerant. Programmers look at code as exact, so they think they should fix the problem by getting rid of the defects, but this makes the arrogant assumption that we're smart enough to spot every defect just by looking. This needs to be changed to the assumption that the best programmers will make mistakes and introduce defects, and therefore these defects should be compensated for defensively.

Re:Telnet

[groomed]

I consider bugs that can only cause a DoS much less bad than bugs which can cause the machine to be compromised.

Then the question becomes: how helpful is defense against stack smashing in preventing exploits, given that most exploits come about through social engineering or bugs at the application level (see VB macros, JavaScript holes)? Because the defense comes at a cost. You can argue that the cost is immaterial, that no cost is too high to prevent even the most innocent and trivial exploit.

That's a reasonable, principled argument, but not one I agree with. I take an economists view. If the estimated cost of an exploit is $25,000, but the cost of a thousand employees running slow, cumbersome software is $50 per employee per year, then the choice is clear. Especially since there is no guarantee that the slow, cumbersome software won't be subject to an exploit!

I'll even admit, shamefully, that I've personally written Java software where, due to a deadlock, a thread that should have been killed for security reasons was never notified of such and kept running. I don't blame Java for that. Maybe I'm just a bad programmer. But that's the whole point: the language's ability to provide application level security is limited. Conversely, also the degree to which a language can be held responsible for security breaches is limited.

What on earth do these two things have to do with Java's buffer overflow protection? If these things are hard to do in Java, that's because the APIs are badly designed, not because the language itself is secure.

Many of the Java security guarantees are derived by isolating programs from the underlying system. That is not a bad approach per se (it's pretty much the definition of an operating system kernel for example). But it does have its limitations. One of them being that you almost always end up with a lowest-common denominator design, through which the systems inherent capabilities cannot fully be excercised.

Still diversity is good.

[Coryoth]

Okay, there's a hole here, that's definitely bad. Still it would be nice if lsh could manage to gain some share of the ssh market. It has worried me for a while that OpenSSH has become the standard, which, unfortunately, creates a monoculture. A monoculture of ssh implementations is as vulnerable to massive infection as a monculture of windows boxes (okay, maybe windows has more holes, but its the massive part I'm concerned with).

If the market on ssh implementations was a little more split, it would be a little more difficult to write a worm that could wreak utter havoc. Repeat after me: Monoculture is bad.

Jedidiah.

Re:Still diversity is good.

[HermesHuang]

Still, I'm not about to choose one implementation over another simply to add diversity. I'm going to pick the one I think is the best. Perhaps the reasons I use are wrong, and I probably don't know all the facts. But I tend to trust OpenSSH more then the other implementations. So I'm going to use OpenSSH. Period. I choose what I do because I don't want to deal with a worm at all. Not because I want to set things up so that when I do get a worm, it's only me and half of the sshd servers out there, rather then all of them. I acknowledge that diversity is good, but it's never going factor into my decisions regarding my security software.

Re:Still diversity is good.

Funny thing is, Coryoth is probably using an x86 machine. If he truly practiced the diversity he preaches, he'd be using a different hardware architecture to avoid all the x86 specific buffer overflows and shellcode.

At any rate, diversifying software is a tradeoff. It may blunt the damage caused by worms, although millions of users divided by a handful of implementations is still a lot of machines. And the downside is that it also "diversifies" the code review. If you have 40 different projects instead of a single well-tested one, there's a much higher chance of bugs going undetected. So a traditional single target worm may not spread easily, but you have more vulnerable machines out there that could be hacked and used in DDOS attacks, etc.

Re:The standard conclusion

[GammaTau]

Nothing is 100% secure, nothing is flawless, all operating systems are imperfect pieces of junk [...]

Which is why software monoculture is bad. The existence of competing implementations is always a good thing whether it's OpenSSH vs. GNU lsh or something else. That way not everything is compromised in one swoop once a new security flaw is discovered.

After 20+ years of buffer overflow exploits...

[kcbrown]

...you'd think that developers would finally know how to write software that doesn't have such vulnerabilities.

But unfortunately we don't seem to have made that much progress, despite the reasonably large number of development tools we have that address such issues (including anything from memory debuggers to string libraries). I mean, really ... people are still writing these things in C ... in the 21st century! I'm a big fan of picking the right tool for the job, but I think it should be clear by now that C isn't the right tool for writing secure software. There are simply too many ways to screw up.

I think it's time we started writing system software (that is, software which provides services but which runs as a process under the OS) in a language which doesn't have these problems. And if a suitable language is unavailable, that argues strongly for creating that language.

You might still have to worry about buffer overflow exploits against the kernel, but that's a much more manageable problem.

Re:After 20+ years of buffer overflow exploits...

[Garen]

Took the words right out of my mouth. For large scale software that's this critical, we really need more safety guarantees to achieve adequate confidence that it's secure. That rules out C.

Re:After 20+ years of buffer overflow exploits...

[kcbrown]

I'll agree that C lends itself to these things, but its the standard for a number of reasons, and frankly, anything else will introduce the same types of problems.

There will always be security vulnerabilities in software, of course. But buffer overflows are a class of vulnerabilities that simply shouldn't exist. C is unsuitable for system software because there are far too many ways (both subtle and gross) to wind up with buffer overflow bugs. It's what happens when the language is designed to make direct memory access easy.

You have to remember that C wasn't created to make writing system software easy, it was created to make writing operating systems easy. For that you have to be able to manipulate memory directly, and C is very well suited to that mission.

System software has different needs. It needs to be able to send and receive data, to manipulate strings, and to store and retrieve information from files, and do so securely. You may still need to manipulate buffers but that's a far cry from needing to manipulate memory directly. System software is very different from operating systems, and calls for a different language.

Re:After 20+ years of buffer overflow exploits...

[vt0asta]

First things, first. C was meant to be a highly portable version of assembly. C successfully facilatated porting operating systems AND applications that used those operating systems.

People often think of C the wrong way, and that is often because languages considered "safe" borrow heavily from C syntax. If you have ever programmed in assembly/machine language, you know the programming bugs can do quite nasty and unexplained things (sometimes much worse than a buffer overflow). However, having coded in assembly one often becomes more rigorous with their coding, that same rigor is what is needed to carry over to C, and is what is lacking with some of the C coders of today.

Second, system software also often needs a low memory footprint. System developers often want to know where every little bit of memory went, and often find compiled code barely tolerable. Not everyone can afford the luxury of loading a perl, python, java, byte code interpretor du jour just to send and read data, manipulate strings, and do stuff with files.

System software is very different from operating systems, and calls for a different language.

Maybe you're right, problem is, many have tried almost all have failed to gain popularity for systems coding. Big problem for your argument and for developers who know, almost all of those different languages were first written in...drum roll...."C".

hubris is never safe

[Build6]

I remember reading the alert for the OpenSSH bug, where one of the options listed was to upgrade to lsh - not "change to", "try using", or anything of the sort, but "upgrade" - and I thought then that that demonstrated an unnecessarily... high-horse-y attitude. I'll bet they regret saying that now... . Humility really IS the best policy.

Ish instead of OpenSSH?

[coene]

Who would say such a thing? Are you high? Low blood pressure not getting enough of the red stuff to your brain?

You cannot beat the OpenBSD/OpenSSH coding standards, audit process, or documentation. Every software will have bugs, but replacing it with something more likely to have bugs, with a more restrictive license, less documentation, and next to no track record isnt a good idea just because it has "GNU" in it's name.

Re:I have to laugh

[cduffy]

looks don't mean jack or shit.

In code, looks mean quite a lot.

Cleaner, more readable code is easier to audit.
Cleaner, more readable code is easier to bugfix.
Cleaner, more readable code is easier to add features to.
Cleaner, more readable code is simply Good Stuff.

Smug.

[Alioth]

Serves those smug bastards right who were gloating the other day about how they use lsh and how it is so much better than OpenSSH. Hoist by their own petard, so it seems.

I _never_ gloat about running different software to $COMPROMISED_SW of the day. Just because I run exim, I don't think I'm magically more secure than a sendmail user. Exim users must keep up with the patches as well. Same goes for qmail. If you sit there smugly saying how superior your piece of software is, you're going to get bitten in the ass sooner or later, or at least end up looking very silly after all the gloating to find you're vulnerable too.

Dudes, doesn't matter what you run: don't gloat about it - be paranoid about the security of what you run, and keep up with the patches.

lsh Pre-dates OpenSSH

[divec]

Does it exist solely because of the non-GNUness of other implementations?

When lsh was started, OpenSSH didn't exist. The original SSH was free till version 1.2.12, but was then put under a more restrictive licence. The licence on ssh version 2 was more restrictive still (I think it wasn't even free-as-in-beer). lsh was intended to be a Free, Open-Source replacement to ssh.

Then the OpenBSD people took the old, free 1.2.12 version of ssh, fixed all the known bugs which had accumulated since that release and updated it with the new features in the SSH protocol. This is OpenSSH.

The quality of Theos work

[aliquis]

Thought this is rather old news I never thought that anyone else could do an ssh application better then the one the openbsd team could bring out. I'm confident that they do their best and look thru the code very carefully and still this kind of things happen.
I find it strange that there never seems to be an end of the openssh, apache, php, sendmail and mysql vulnerabilities. I suppose it's just damn hard to write secure code all the time. I blame the C language a little for this, should you really have to be this careful all the time? Do you really have to reinvent the wheel every single time?
Imho c is just something you should use because the application you are editing already uses it or the teacher has told you so. There are lots of better languages out there. Can't understand all the complains on java for example.
Does anyone have some suggestions about libraries, special functions, compiler mods and so on which make C programs a little more secure? Any suggestions of other languages which is available for different platforms but more secure and with less reinventing of the wheel all the time? The ones which come to my mind are as I said java and scripting languages like python, ruby and so on. But there got to be atleast one which isn't interpreted?
Suggestions are more than welcome.

Maybe the standard Winlot conclusion

[RoLi]

nothing is flawless

Nobody ever claimed it would be.

However I've personally experienced that many systems are more secure than others. Almost all security problems on Unix didn't affect me (like this, BTW. This is actually the first time I've ever heard about lsh) and often were hyped up. In the meantime I get tens of Windows-Virus-mails and attemted IIS infections per day.

The true conclusion:

Windows is like a 50 year old car without safety belts, Unix is like a modern Volvo with safety belts and airbags.

Neither car is "flawless" and you can die in the Volvo too.

Re:Maybe the standard Winlot conclusion

[Overly+Critical+Guy]

Nobody ever claimed it would be.

You do visit Slashdot, don't you? It is claimed all the time. The prevailing attitude and anecdotal evidence about how secure Linux is and how insecure and unstable Windows is runs through every discussion thread even remotely involving anything Microsoft. A large part of this site is just reactive hysteria to "Microsoft worms." Heck, whenever there's an X-Box article, you get the requisite hundreds of "jokes" about green screens of death.

You claim to get virus-mails, which usually require user intervention to spread. Then you mention IIS intrusions, despite the fact that Slashdot recently posted an article called "Linux Most Attacked Server?" which showed Linux was the most breached operating system on the net.

The true conclusion:

Windows is like a 50 year old car without safety belts, Unix is like a modern Volvo with safety belts and airbags.

No. The true conclusion is that your personal disdain for Microsoft products in an OS war doesn't matter in the end. All operating systems are insecure and vulnerable. They are equal.

The true heart of security lies in your system administrator. Period.

Re:The standard conclusion

[ScrewMaster]

I might add that this philosophy applies to organic systems as well, and for the same reason. A sufficient degree of diversity in any population, whether it be microbes, human beings, or operating systems, helps assure that no single pathogen can be totally destructive. Certainly, in this modern age of world-wide non-OS-specific internetworking protocols and data interchange formats, we should promote operating-system diversity as an additional level of safety.

I see many large corporations enforcing enterprise-wide standards. That is, everyone will run the same version of Windows, with the same applications software, same service packs, same anti-virus and firewall software ... which just means that when one machine does get compromised the entire organization is at risk. On the other hand, this situation is very convenient from the IT professional's point of view, so there is some argument for it. But I maintain that having a mix of operating systems, applications and protective software can provide more security than a more homogenous approach, and security is what we all want, right? Right?

Re:How to tell if you are a MS fanatic

[RdsArts]

OK hot shot, how can Linux have any exploits?

Answer? It can't. It's a kernel.

Oh sure, there are some cases where it can be exploited from "3rd party" programs, but that's because everything in your "Linux" OS is a 3rd party program.

Now, is OpenSSH in most GNU/Linux OSes? Yes.
Sendmail? Yes.
Apache? Yes.

So basically, your advice is to say "hey, we've got a rock solid system with Linux. Oh sure, it runs nothing but a kernel, but it runs it so well!"

Feh.

For the record, I'm also a BSD user. Just so you know which OS to claim I'm a zealot for.

How old is C now anyway?

[presidenteloco]

A language like Java, with a carefully designed JVM implementation, is not subject to buffer overflow/heap overflow exploits. Is it maybe time to rewrite all of the higher level OS apps in Java? Sure, keep a microkernel in some blazing fast C/assembly code if you must, but there's not reason something like SSH can't be written in Java (in fact it has been.) Why not all of the high-level Linux apps (i.e. the GNU stuff)? If you don't like Java's license, then do as MS did with C#, and clean-room rewrite Java under a GNU project first. I'd do it myself but I'm still trying to figure out how to make a living in this damn business.

Re:How to tell if you are a MS fanatic

[Bull999999]

I'll have to agree with you on that one, as it is possible to run Office on "Linux" and therefore, by their logic, it would also be a "Linux" flaw. However, it would be correct to call it a MS flaw.